mirror of
https://github.com/moparisthebest/curl
synced 2025-01-11 05:58:01 -05:00
libcurl: Restrict redirect schemes
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS counterpart were allowed for redirect. This vastly broadens the exploitation surface in case of a vulnerability such as SSRF [1], where libcurl-based clients are forced to make requests to arbitrary hosts. For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based protocol by URL-encoding a payload in the URI. Gopher will open a TCP connection and send the payload. Only HTTP/HTTPS and FTP are allowed. All other protocols have to be explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> Closes #4094
This commit is contained in:
Linos Giannopoulos
Daniel Stenberg
parent
7e8f1916d6
commit
6080ea098d
@ -488,9 +488,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
|||||||
define since we internally only use the lower 16 bits for the passed
|
define since we internally only use the lower 16 bits for the passed
|
||||||
in bitmask to not conflict with the private bits */
|
in bitmask to not conflict with the private bits */
|
||||||
set->allowed_protocols = CURLPROTO_ALL;
|
set->allowed_protocols = CURLPROTO_ALL;
|
||||||
set->redir_protocols = CURLPROTO_ALL & /* All except FILE, SCP and SMB */
|
set->redir_protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP;
|
||||||
~(CURLPROTO_FILE | CURLPROTO_SCP | CURLPROTO_SMB |
|
|
||||||
CURLPROTO_SMBS);
|
|
||||||
|
|
||||||
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
||||||
/*
|
/*
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user