search

Volafile / volafile-bugs

Volafile.org public bug tracker
17 stars 2 forks source link

Downloads do not work: Redirection loop #180

Closed RealDolos closed 7 years ago

RealDolos commented 7 years ago

@laino you seriously broke something. Most files (I think those being cloudflared) do not actually work, but there is a redirection loop instead.

This was confirmed by multiple other users. Here is an example of a file just uploaded to BEEPi (by MercWMouth)

PS: It's not curl related, happens in a browser too

$ curl -L --max-redirs 5 -v 'https://volafile.io/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png'
*   Trying 51.255.168.166...
* Connected to volafile.io (51.255.168.166) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*    subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.volafile.io
*    start date: Aug  6 00:00:00 2016 GMT
*    expire date: Aug  8 23:59:59 2017 GMT
*    subjectAltName: volafile.io matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*    SSL certificate verify ok.
> GET /get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png HTTP/1.1
> Host: volafile.io
> User-Agent: curl/7.45.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Set-Cookie: dlsession=undefined; Max-Age=604800; Domain=volafile.io; Path=/; HttpOnly
< Content-Type: text/html
< Location: https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png
< Date: Fri, 09 Dec 2016 07:39:34 GMT
< Transfer-Encoding: chunked
< Strict-Transport-Security: max-age=1296000
< 
* Ignoring the response-body
* Connection #0 to host volafile.io left intact
* Issue another request to this URL: 'https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png'
*   Trying 104.25.135.100...
* Connected to dl4.volafile.net (104.25.135.100) port 443 (#1)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
*    subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=ssl373197.cloudflaressl.com
*    start date: Dec  2 00:00:00 2016 GMT
*    expire date: Jun  4 23:59:59 2017 GMT
*    subjectAltName: dl4.volafile.net matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO ECC Domain Validation Secure Server CA 2
*    SSL certificate verify ok.
> GET /get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png HTTP/1.1
> Host: dl4.volafile.net
> User-Agent: curl/7.45.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Fri, 09 Dec 2016 07:39:35 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d187e3fc5933c1648dd797c4418bae5811481269175; expires=Sat, 09-Dec-17 07:39:35 GMT; path=/; domain=.volafile.net; HttpOnly
< Set-Cookie: dlsession=undefined; Max-Age=604800; Domain=volafile.io; Path=/; HttpOnly
< Location: https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png
< Strict-Transport-Security: max-age=1296000
< CF-Cache-Status: MISS
< Expires: Fri, 09 Dec 2016 15:39:35 GMT
< Cache-Control: public, max-age=28800
< Server: cloudflare-nginx
< CF-RAY: 30e6cdd7c9022bd6-AMS
< 
* Ignoring the response-body
* Connection #1 to host dl4.volafile.net left intact
* Issue another request to this URL: 'https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png'
* Found bundle for host dl4.volafile.net: 0x1ed2470
* Re-using existing connection! (#1) with host dl4.volafile.net
* Connected to dl4.volafile.net (104.25.135.100) port 443 (#1)
> GET /get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png HTTP/1.1
> Host: dl4.volafile.net
> User-Agent: curl/7.45.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Fri, 09 Dec 2016 07:39:35 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d187e3fc5933c1648dd797c4418bae5811481269175; expires=Sat, 09-Dec-17 07:39:35 GMT; path=/; domain=.volafile.net; HttpOnly
< Set-Cookie: dlsession=undefined; Max-Age=604800; Domain=volafile.io; Path=/; HttpOnly
< Location: https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png
< Strict-Transport-Security: max-age=1296000
< CF-Cache-Status: MISS
< Expires: Fri, 09 Dec 2016 15:39:35 GMT
< Cache-Control: public, max-age=28800
< Server: cloudflare-nginx
< CF-RAY: 30e6cdd8493a2bd6-AMS
< 
* Ignoring the response-body
* Connection #1 to host dl4.volafile.net left intact
* Issue another request to this URL: 'https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png'
* Found bundle for host dl4.volafile.net: 0x1ed2470
* Re-using existing connection! (#1) with host dl4.volafile.net
* Connected to dl4.volafile.net (104.25.135.100) port 443 (#1)
> GET /get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png HTTP/1.1
> Host: dl4.volafile.net
> User-Agent: curl/7.45.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Fri, 09 Dec 2016 07:39:35 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d187e3fc5933c1648dd797c4418bae5811481269175; expires=Sat, 09-Dec-17 07:39:35 GMT; path=/; domain=.volafile.net; HttpOnly
< Set-Cookie: dlsession=undefined; Max-Age=604800; Domain=volafile.io; Path=/; HttpOnly
< Location: https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png
< Strict-Transport-Security: max-age=1296000
< CF-Cache-Status: MISS
< Expires: Fri, 09 Dec 2016 15:39:35 GMT
< Cache-Control: public, max-age=28800
< Server: cloudflare-nginx
< CF-RAY: 30e6cdd8794f2bd6-AMS
< 
* Ignoring the response-body
* Connection #1 to host dl4.volafile.net left intact
* Issue another request to this URL: 'https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png'
* Found bundle for host dl4.volafile.net: 0x1ed2470
* Re-using existing connection! (#1) with host dl4.volafile.net
* Connected to dl4.volafile.net (104.25.135.100) port 443 (#1)
> GET /get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png HTTP/1.1
> Host: dl4.volafile.net
> User-Agent: curl/7.45.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Fri, 09 Dec 2016 07:39:35 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d187e3fc5933c1648dd797c4418bae5811481269175; expires=Sat, 09-Dec-17 07:39:35 GMT; path=/; domain=.volafile.net; HttpOnly
< Set-Cookie: dlsession=undefined; Max-Age=604800; Domain=volafile.io; Path=/; HttpOnly
< Location: https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png
< Strict-Transport-Security: max-age=1296000
< CF-Cache-Status: MISS
< Expires: Fri, 09 Dec 2016 15:39:35 GMT
< Cache-Control: public, max-age=28800
< Server: cloudflare-nginx
< CF-RAY: 30e6cdd8b96c2bd6-AMS
< 
* Ignoring the response-body
* Connection #1 to host dl4.volafile.net left intact
* Issue another request to this URL: 'https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png'
* Found bundle for host dl4.volafile.net: 0x1ed2470
* Re-using existing connection! (#1) with host dl4.volafile.net
* Connected to dl4.volafile.net (104.25.135.100) port 443 (#1)
> GET /get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png HTTP/1.1
> Host: dl4.volafile.net
> User-Agent: curl/7.45.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Fri, 09 Dec 2016 07:39:35 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d187e3fc5933c1648dd797c4418bae5811481269175; expires=Sat, 09-Dec-17 07:39:35 GMT; path=/; domain=.volafile.net; HttpOnly
< Set-Cookie: dlsession=undefined; Max-Age=604800; Domain=volafile.io; Path=/; HttpOnly
< Location: https://dl4.volafile.net/get/R3tqP9Ofw66BA/Cthulhu%20fighting%20longcat%20in%20space%20--%20made%20by%20a%20drawfag%20LolCats%201341189663537.png
< Strict-Transport-Security: max-age=1296000
< CF-Cache-Status: MISS
< Expires: Fri, 09 Dec 2016 15:39:35 GMT
< Cache-Control: public, max-age=28800
< Server: cloudflare-nginx
< CF-RAY: 30e6cdd8f9832bd6-AMS
< 
* Ignoring the response-body
* Connection #1 to host dl4.volafile.net left intact
* Maximum (5) redirects followed
curl: (47) Maximum (5) redirects followed
RealDolos commented 7 years ago

Yep, "large" downloads which bypass cloudflare still work, "old" downloads that cloudflare has still cached still work. New downloads small enough for cloudflare do not work and enter said redirection loop.

So this is definitely a problem with how vola interacts with cloudflare. Also, the redirects set a dlsession=undefined cookie with each redirect, which might be related