Appcast.xml not following redirects?

[christophwille]

Yes that's a testing scenario, but: https://icsharpcode.github.io/ILSpy/appcast.xml redirects to http://ilspy.net/appcast.xml (should to https, but anyways) - the same would happen to eg

https://github.com/icsharpcode/ILSpy-store/raw/main/releases/ILSpy_Installer_8.0.0.7345.msi
(whereas https://raw.githubusercontent.com/icsharpcode/ILSpy-store/main/releases/ILSpy_Installer_8.0.0.7339-rc1.msi doesn't redirect, I had that specific problem with the Microsoft Store)

Does NetSparkle follow redirects in both cases? (I know for sure now that for grabbing the appcast.xml it doesn't). Maybe make it configurable with a default of false (because evilginx2 could be MITM-ing and forcing the redirect, so it should be a choice for the implementer to say "Yes, please open a security hole")

[Deadpikle]

Hi @christophwille,

NetSparkle follows redirects by default. The problem is that HTTPS to HTTP redirects is explicitly not allowed on the library end of things. See dotnet/runtime#21446 (comment).

You could get around this by implementing IAppCastDataDownloader yourself and handling the redirects in your own implementation. However, to make this easier for you/others, I have added a way to do this to both WebRequestAppCastDataDownloader and WebClientFileDownloader. Use it like this (in the case of the former; obviously a blind return true is a terrible idea but you get the picture):

_sparkle.AppCastDataDownloader = new Downloaders.WebRequestAppCastDataDownloader()
{
    RedirectHandler = delegate(string fromURL, string toURL, HttpResponseMessage responseMessage) 
    {
        _sparkle.LogWriter.PrintMessage("Redirecting from {0} to {1}", fromURL, toURL);
        return true;
    }
};

This will be rolling out in a preview build here soon. You seem to be catching multiple things (thank you for that and for your feedback) so I want to use preview builds for a few days so real builds don't get spammed.