From c1c5e275385cca4306832d98e316e40b39310c1d Mon Sep 17 00:00:00 2001
From: Steffen Dirkwinkel <steffen@steffen-dirkwinkel.de>
Date: Sun, 24 Jul 2022 02:09:19 +0200
Subject: [PATCH] quickget: get_windows: validate that download url leads to
 microsoft cdn (#455)

For windows downloads hashes aren't validated via hashes. Let's at least
validate that downloads are coming from microsoft via https.

Signed-off-by: Steffen Dirkwinkel <me@steffen.cc>
---
 quickget | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/quickget b/quickget
index ecf81cf..938d299 100755
--- a/quickget
+++ b/quickget
@@ -1687,9 +1687,17 @@ function get_windows() {
     dbg_windows "${DOWNLOAD_SHA1}"
     DOWNLOAD_ID=$(echo "${DOWNLOAD_INFO}" | grep -oP '(?<=https:\/\/tb\.rg-adguard\.net/dl\.php\?go=)[0-9a-z]+')
     dbg_windows "${DOWNLOAD_ID}"
-    DOWNLOAD_URL="https://tb.rg-adguard.net/dl.php?go=${DOWNLOAD_ID}"
+    REDIRECT_URL="https://tb.rg-adguard.net/dl.php?go=${DOWNLOAD_ID}"
+    dbg_windows "${REDIRECT_URL}"
+    DOWNLOAD_URL=$(curl --head --silent --write-out "%{redirect_url}\n" --output /dev/null "${REDIRECT_URL}")
     dbg_windows "${DOWNLOAD_URL}"
 
+    MS_BASE_URL="https://software.download.prss.microsoft.com/"
+    if [[ ! ${DOWNLOAD_URL} =~ ^${MS_BASE_URL} ]]; then
+        echo "Download URL not leading to Microsoft CDN"
+        exit 1
+    fi
+
     echo "Downloading ${WINDOWS_NAME}..."
     web_get "${DOWNLOAD_URL}" "${VM_PATH}" "${FILE_NAME}"