Bug 22950 – SECURITY: install.sh uses unsafe HTTP to download LATEST

The script at `https://dlang.org/install.sh` uses unsafe HTTP to download `http://downloads.dlang.org/releases/LATEST` (and related mirrors/files). This means that a MITM on user traffic would lead to arbitrary attacker-controlled input reaching the script. Some implications I manually verified (mind you, I'm not the most skilled bash/curl person so assume this to be the smallest scope): 1. Downgrade D on a target machine. 2. Print arbitrary text on the target terminal. This includes ANSI escape sequences, which can do things like clearing the screen, setting windows' title, and potentially write files or execute programs (in certain terminal emulators/configurations). 3. Mess with the curl URL. For example, `echo -n '{asd,lol}-2016-10-20' > LATEST` results in curl running two GET requests. I couldn't do much with it because it's in the middle of the URL, but again, there might be other attack angles I didn't think of. Seems like `downloads.dlang.org` is only served over HTTP. I would suggest you serve `LATEST` from an HTTPS-only website. Using a `.sig` file on it would also work, but still leave open the possibility of attacker-mandated downgrades (if I'm not mistaken). Thanks, Paolo (P.S.: Is `[email protected]` still in existence? I found it linked on dlang.org, but I couldn't deliver my email)

This is on the Foundation's radar. The plan is to take control of (well, fork) the downloads.dlang.org site, and make it https with http-redirect.

> (P.S.: Is `[email protected]` still in existence? I found it linked on dlang.org, but I couldn't deliver my email) That was an oversight when we moved away from self-hosting our dlang.org emails. I'll get it set up again. Thanks!

Fixed in https://github.com/dlang/installer/pull/525