Hello Michael, from the NEWS file (wget 1.13.3):
** By default, on server redirects, use the original URL to get the local file name. Close CVE-2010-2252. This introduces a backward-incompatibility; any script that relies on the old behaviour must use --trust-server-names. Cheers, Giuseppe Michael Shigorin <m...@osdn.org.ua> writes: > Hello Micah, > I've noted that wget-1.13.4 behaves differently on a situation > involving redirects, weird thing is that it was spotted on SF > which is quite typical use case for a wget user I guess. > > This manifests itself in pre-redirect basename being chosen > for the save path, not the final location's one. > > Here's 1.13.4: > > $ wget > http://sourceforge.net/projects/pdsh/files/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2/download > --2011-09-25 21:45:36-- > http://sourceforge.net/projects/pdsh/files/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2/download > Resolving sourceforge.net (sourceforge.net)... 216.34.181.60 > Connecting to sourceforge.net (sourceforge.net)|216.34.181.60|:80... > connected. > HTTP request sent, awaiting response... 302 Found > Location: > http://downloads.sourceforge.net/project/pdsh/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2?r=&ts=1316976337&use_mirror=netcologne > [following] > --2011-09-25 21:45:37-- > http://downloads.sourceforge.net/project/pdsh/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2?r=&ts=1316976337&use_mirror=netcologne > Resolving downloads.sourceforge.net (downloads.sourceforge.net)... > 216.34.181.59 > Connecting to downloads.sourceforge.net > (downloads.sourceforge.net)|216.34.181.59|:80... connected. > HTTP request sent, awaiting response... 302 Found > Location: > http://netcologne.dl.sourceforge.net/project/pdsh/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2 > [following] > --2011-09-25 21:45:37-- > http://netcologne.dl.sourceforge.net/project/pdsh/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2 > Resolving netcologne.dl.sourceforge.net (netcologne.dl.sourceforge.net)... > 78.35.24.46, 2001:4dd0:1234:6::5f > Connecting to netcologne.dl.sourceforge.net > (netcologne.dl.sourceforge.net)|78.35.24.46|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 490732 (479K) [application/x-bzip2] > Saving to: `download' > > 100%[======================================>] 490,732 412K/s in 1.2s > > > 2011-09-25 21:45:38 (412 KB/s) - `download' saved [490732/490732] > > Here's as it was with 1.12: > > $ wget > http://sourceforge.net/projects/pdsh/files/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2/download > --2011-09-25 21:50:39-- > http://sourceforge.net/projects/pdsh/files/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2/download > Resolving sourceforge.net... 216.34.181.60 > Connecting to sourceforge.net|216.34.181.60|:80... connected. > HTTP request sent, awaiting response... 302 Found > Location: > http://downloads.sourceforge.net/project/pdsh/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2?r=&ts=1316976639&use_mirror=heanet > [following] > --2011-09-25 21:50:39-- > http://downloads.sourceforge.net/project/pdsh/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2?r=&ts=1316976639&use_mirror=heanet > Resolving downloads.sourceforge.net... 216.34.181.59 > Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected. > HTTP request sent, awaiting response... 302 Found > Location: > http://heanet.dl.sourceforge.net/project/pdsh/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2 > [following] > --2011-09-25 21:50:40-- > http://heanet.dl.sourceforge.net/project/pdsh/pdsh/pdsh-2.26/pdsh-2.26.tar.bz2 > Resolving heanet.dl.sourceforge.net... 193.1.193.66, > 2001:770:18:aa40::c101:c142 > Connecting to heanet.dl.sourceforge.net|193.1.193.66|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 490732 (479K) [application/x-bzip2] > Saving to: `pdsh-2.26.tar.bz2' > > 100%[======================================>] 490,732 119K/s in 4.1s > > > 2011-09-25 21:50:44 (117 KB/s) - `pdsh-2.26.tar.bz2' saved [490732/490732] > > (I've downgraded the package and on the non-"screenshot" attempt > it got redirected to the same netcologne mirror, so no server > side difference seems involved) > > PS: I also chose to stay --with-ssl=openssl while the kinks > are worked out, in particular the distribution's ca-certificates > weren't used for verification.