OPDS: Inform and warn about downgrade attack (#7032)

Fixes <https://github.com/koreader/koreader/issues/7007>.

frontend/ui/widget/opdsbrowser.lua

@@ -342,6 +342,11 @@ function OPDSBrowser:fetchFeed(item_url, username, password, method)
         UIManager:show(InfoMessage:new{
             text = T(_("The catalog has been permanently moved. Please update catalog URL to '%1'."), BD.url(headers['Location'])),
         })
+    elseif code == 302 and item_url:match("^https") and headers.location:match("^http[^s]") then
+        UIManager:show(InfoMessage:new{
+            text = T(_("Insecure HTTPS → HTTP downgrade attempted by redirect from:\n\n'%1'\n\nto\n\n'%2'.\n\nPlease inform the server administrator that many clients disallow this because it could be a downgrade attack."), BD.url(item_url), BD.url(headers.location)),
+            icon = "notice-warning",
+        })
     elseif code == 401 then
         UIManager:show(InfoMessage:new{
             text = T(_("Authentication required for catalog. Please add a username and password.")),
@@ -559,10 +564,10 @@ function OPDSBrowser:downloadFile(item, format, remote_url)
             local parsed = url.parse(remote_url)
             http.TIMEOUT = 20
 
-            local dummy, c = nil
+            local dummy, code, headers
 
             if parsed.scheme == "http" then
-                dummy, c = http.request {
+                dummy, code, headers = http.request {
                     url         = remote_url,
                     sink        = ltn12.sink.file(io.open(local_path, "w")),
                     user        = item.username,
@@ -571,7 +576,7 @@ function OPDSBrowser:downloadFile(item, format, remote_url)
             elseif parsed.scheme == "https" then
                 local auth = (item.username and item.password) and string.format("%s:%s", item.username, item.password) or nil
                 local hostname = parsed.host
-                dummy, c = http.request {
+                dummy, code, headers = http.request {
                     url         = remote_url,
                     headers     = auth and { Authorization = "Basic " .. mime.b64(auth), ["Host"] = hostname } or nil,
                     sink        = ltn12.sink.file(io.open(local_path, "w")),
@@ -583,12 +588,19 @@ function OPDSBrowser:downloadFile(item, format, remote_url)
                 })
             end
 
-            if c == 200 then
+            if code == 200 then
                 logger.dbg("file downloaded to", local_path)
                 if self.file_downloaded_callback then
                     self.file_downloaded_callback(local_path)
                 end
+            elseif code == 302 and remote_url:match("^https") and headers.location:match("^http[^s]") then
+                util.removeFile(local_path)
+                UIManager:show(InfoMessage:new{
+                    text = T(_("Insecure HTTPS → HTTP downgrade attempted by redirect from:\n\n'%1'\n\nto\n\n'%2'.\n\nPlease inform the server administrator that many clients disallow this because it could be a downgrade attack."), BD.url(remote_url), BD.url(headers.location)),
+                    icon = "notice-warning",
+                })
             else
+                util.removeFile(local_path)
                 UIManager:show(InfoMessage:new {
                     text = _("Could not save file to:\n") .. BD.filepath(local_path),
                     timeout = 3,