[Issue 22950] New: install.sh uses unsafe HTTP to download LATEST

[d-bugmail at puremagic.com]

https://issues.dlang.org/show_bug.cgi?id=22950

          Issue ID: 22950
           Summary: install.sh uses unsafe HTTP to download LATEST
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P1
         Component: tools
          Assignee: nobody at puremagic.com
          Reporter: vuoto17+dlang at hotmail.it

The script at `https://dlang.org/install.sh` uses unsafe HTTP to download
`http://downloads.dlang.org/releases/LATEST` (and related mirrors/files).

This means that a MITM on user traffic would lead to arbitrary
attacker-controlled input reaching the script.

Some implications I manually verified (mind you, I'm not the most skilled
bash/curl person so assume this to be the smallest scope):

1. Downgrade D on a target machine.
2. Print arbitrary text on the target terminal. This includes ANSI escape
sequences, which can do things like clearing the screen, setting windows'
title, and potentially write files or execute programs (in certain terminal
emulators/configurations).
3. Mess with the curl URL. For example, `echo -n '{asd,lol}-2016-10-20' >
LATEST` results in curl running two GET requests. I couldn't do much with it
because it's in the middle of the URL, but again, there might be other attack
angles I didn't think of.

Seems like `downloads.dlang.org` is only served over HTTP.
I would suggest you serve `LATEST` from an HTTPS-only website.
Using a `.sig` file on it would also work, but still leave open the possibility
of attacker-mandated downgrades (if I'm not mistaken).

Thanks,

Paolo

(P.S.: Is `security at dlang.org` still in existence? I found it linked on
dlang.org, but I couldn't deliver my email)

--