doh: allow only http and https in debug mode

Otherwise curl may be told to use for instance pop3 to communicate with the doh server, which most likely is not what you want. Found through fuzzing. Closes #4406
2024-08-13 17:03:50 -04:00 · 2019-09-23 13:11:49 +02:00 · 2019-09-23 13:11:49 +02:00 · a5bf6a36c5
commit a5bf6a36c5
parent bb74201804
1 changed files with 3 additions and 0 deletions
--- a/lib/doh.c
+++ b/lib/doh.c
@ -264,6 +264,9 @@ static CURLcode dohprobe(struct Curl_easy *data,
 #ifndef CURLDEBUG
    /* enforce HTTPS if not debug */
    ERROR_CHECK_SETOPT(CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
+#else
+    /* in debug mode, also allow http */
+    ERROR_CHECK_SETOPT(CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS);
 #endif
    ERROR_CHECK_SETOPT(CURLOPT_TIMEOUT_MS, (long)timeout_ms);
    if(data->set.verbose)