From 2d7abfd9fa9a95e78f97bb5b8b1e6d3899ef3f3e Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Tue, 29 Nov 2016 05:25:53 -0800
Subject: [PATCH] Use HTTPS, not HTTP, in install scripts

Summary:
Via HackerOne. A researcher correctly reports that our install scripts use `HTTP`, not `HTTPS`, to fetch resources and execute them as `root`, which is a potentially significant vulnerability.

Instead, use `HTTPS`.

Test Plan: Verified that these URIs function correctly over `HTTPS`.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D16958
---
 scripts/install/install_rhel-derivs.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/install/install_rhel-derivs.sh b/scripts/install/install_rhel-derivs.sh
index abb67d60b3..8c856ba40f 100755
--- a/scripts/install/install_rhel-derivs.sh
+++ b/scripts/install/install_rhel-derivs.sh
@@ -67,7 +67,7 @@ then
   if [ $? -ne 0 ]; then
     echo "It doesn't look like you have the EPEL repo enabled. We are to add it"
     echo "for you, so that we can install git."
-    $SUDO rpm -Uvh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
+    $SUDO rpm -Uvh https://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
   fi
   YUMCOMMAND="$SUDO yum install httpd git php53 php53-cli php53-mysql php53-process php53-devel php53-gd gcc wget make pcre-devel mysql-server"
 else
@@ -92,7 +92,7 @@ then
   # Now that we've ensured all the devel packages required for pecl/apc are there, let's
   # set up PEAR, and install apc.
   echo "Attempting to install PEAR"
-  wget http://pear.php.net/go-pear.phar
+  wget https://pear.php.net/go-pear.phar
   $SUDO php go-pear.phar && $SUDO pecl install apc
 fi