From effe971249643fcb732e96f26f74aa86d426fb98 Mon Sep 17 00:00:00 2001
From: Graham Gilbert <graham@grahamgilbert.com>
Date: Fri, 23 Oct 2015 10:33:20 +0100
Subject: [PATCH] Preference to Follow HTTP Recirects

---
 code/client/munkilib/fetch.py       |  5 ++++-
 code/client/munkilib/gurl.py        | 12 ++++++++++--
 code/client/munkilib/munkicommon.py |  3 ++-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/code/client/munkilib/fetch.py b/code/client/munkilib/fetch.py
index ebcce731..e00245fe 100644
--- a/code/client/munkilib/fetch.py
+++ b/code/client/munkilib/fetch.py
@@ -225,7 +225,6 @@ def get_url(url, destinationpath,
         raise HTTPError(connection.status,
                         connection.headers.get('http_result_description',''))
 
-
 def getResourceIfChangedAtomically(url,
                                    destinationpath,
                                    custom_headers=None,
@@ -269,6 +268,10 @@ def getResourceIfChangedAtomically(url,
                 'will check if changed and redownload: %s' % destinationpath)
         #continue with normal if-modified-since/etag update methods.
 
+    if follow_redirects != True:
+        # If we haven't explicitly said to follow redirect, the preference decides
+        follow_redirects = munkicommon.pref('FollowHTTPRedirects')
+
     url_parse = urlparse.urlparse(url)
     if url_parse.scheme in ['http', 'https']:
         changed = getHTTPfileIfChangedAtomically(
diff --git a/code/client/munkilib/gurl.py b/code/client/munkilib/gurl.py
index 9f847fb4..f4f4e3f5 100644
--- a/code/client/munkilib/gurl.py
+++ b/code/client/munkilib/gurl.py
@@ -24,6 +24,7 @@ curl replacement using NSURLConnection and friends
 
 import os
 import xattr
+from urlparse import urlparse
 
 # builtin super doesn't work with Cocoa classes in recent PyObjC releases.
 from objc import super
@@ -374,12 +375,19 @@ class Gurl(NSObject):
         # to redirect and where the new location is.
         newURL = request.URL().absoluteString()
         self.redirection.append([newURL, dict(response.allHeaderFields())])
-        if self.follow_redirects:
+        newParsedURL = urlparse(newURL)
+        if self.follow_redirects == True or self.follow_redirects == 'all':
             # Allow the redirect
             self.log('Allowing redirect to: %s' % newURL)
             return request
+        elif self.follow_redirects == 'https' and newParsedURL.scheme == 'https':
+            # Once again, allow the redirect
+            self.log('Allowing redirect to: %s' % newURL)
+            return request
         else:
-            # Deny the redirect
+            # If we're down here either the preference was set to 'none',
+            # the url we're forwarding on to isn't https or follow_redirects
+            # was explicitly set to False
             self.log('Denying redirect to: %s' % newURL)
             return None
 
diff --git a/code/client/munkilib/munkicommon.py b/code/client/munkilib/munkicommon.py
index 083c29f4..0846f334 100755
--- a/code/client/munkilib/munkicommon.py
+++ b/code/client/munkilib/munkicommon.py
@@ -1212,7 +1212,8 @@ def pref(pref_name):
         'SuppressUserNotification': False,
         'SuppressAutoInstall': False,
         'SuppressStopButtonOnInstall': False,
-        'PackageVerificationMode': 'hash'
+        'PackageVerificationMode': 'hash',
+        'FollowTTPRedirects': 'none',
     }
     pref_value = CFPreferencesCopyAppValue(pref_name, BUNDLE_ID)
     if pref_value == None: