mirror of
https://github.com/moparisthebest/curl
synced 2024-12-24 00:58:48 -05:00
libcurl: Restrict redirect schemes (follow-up)
- Allow FTPS on redirect.
- Update default allowed redirect protocols in documentation.
Follow-up to 6080ea0
.
Ref: https://github.com/curl/curl/pull/4094
Closes https://github.com/curl/curl/pull/4115
This commit is contained in:
parent
647e726d78
commit
e8442e4ffc
@ -11,7 +11,8 @@ Example, allow only HTTP and HTTPS on redirect:
|
|||||||
|
|
||||||
curl --proto-redir -all,http,https http://example.com
|
curl --proto-redir -all,http,https http://example.com
|
||||||
|
|
||||||
By default curl will allow all protocols on redirect except several disabled
|
By default curl will allow HTTP, HTTPS, FTP and FTPS on redirect (7.65.2).
|
||||||
for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0
|
Older versions of curl allowed all protocols on redirect except several
|
||||||
SMB and SMBS are also disabled. Specifying \fIall\fP or \fI+all\fP enables all
|
disabled for security reasons: Since 7.19.4 FILE and SCP are disabled, and
|
||||||
protocols on redirect, including those disabled for security.
|
since 7.40.0 SMB and SMBS are also disabled. Specifying \fIall\fP or \fI+all\fP
|
||||||
|
enables all protocols on redirect, including those disabled for security.
|
||||||
|
@ -97,8 +97,8 @@ Never ever switch off certificate verification.
|
|||||||
The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP
|
The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP
|
||||||
redirects sent by a remote server. These redirects can refer to any kind of
|
redirects sent by a remote server. These redirects can refer to any kind of
|
||||||
URL, not just HTTP. libcurl restricts the protocols allowed to be used in
|
URL, not just HTTP. libcurl restricts the protocols allowed to be used in
|
||||||
redirects for security reasons: only HTTP, HTTPS and FTP are enabled by
|
redirects for security reasons: only HTTP, HTTPS, FTP and FTPS are
|
||||||
default. Applications may opt to restrict thus set further.
|
enabled by default. Applications may opt to restrict that set further.
|
||||||
|
|
||||||
A redirect to a file: URL would cause the libcurl to read (or write) arbitrary
|
A redirect to a file: URL would cause the libcurl to read (or write) arbitrary
|
||||||
files from the local filesystem. If the application returns the data back to
|
files from the local filesystem. If the application returns the data back to
|
||||||
|
@ -39,7 +39,8 @@ libcurl will follow.
|
|||||||
|
|
||||||
libcurl limits what protocols it automatically follows to. The accepted
|
libcurl limits what protocols it automatically follows to. The accepted
|
||||||
protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP. By default libcurl
|
protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP. By default libcurl
|
||||||
will allow all protocols on redirect except those disabled for security
|
will allow HTTP, HTTPS, FTP and FTPS on redirect (7.65.2). Older versions of
|
||||||
|
libcurl allowed all protocols on redirect except those disabled for security
|
||||||
reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 SMB and SMBS
|
reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 SMB and SMBS
|
||||||
are also disabled.
|
are also disabled.
|
||||||
|
|
||||||
|
@ -37,10 +37,11 @@ redirections.
|
|||||||
Protocols denied by \fICURLOPT_PROTOCOLS(3)\fP are not overridden by this
|
Protocols denied by \fICURLOPT_PROTOCOLS(3)\fP are not overridden by this
|
||||||
option.
|
option.
|
||||||
|
|
||||||
By default libcurl will allow all protocols on redirect except several disabled
|
By default libcurl will allow HTTP, HTTPS, FTP and FTPS on redirect (7.65.2).
|
||||||
for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0
|
Older versions of libcurl allowed all protocols on redirect except several
|
||||||
SMB and SMBS are also disabled. \fICURLPROTO_ALL\fP enables all protocols on
|
disabled for security reasons: Since 7.19.4 FILE and SCP are disabled, and
|
||||||
redirect, including those disabled for security.
|
since 7.40.0 SMB and SMBS are also disabled. \fICURLPROTO_ALL\fP enables all
|
||||||
|
protocols on redirect, including those disabled for security.
|
||||||
|
|
||||||
These are the available protocol defines:
|
These are the available protocol defines:
|
||||||
.nf
|
.nf
|
||||||
|
@ -1574,8 +1574,7 @@ typedef enum {
|
|||||||
|
|
||||||
/* set the bitmask for the protocols that libcurl is allowed to follow to,
|
/* set the bitmask for the protocols that libcurl is allowed to follow to,
|
||||||
as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
|
as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
|
||||||
to be set in both bitmasks to be allowed to get redirected to. Defaults
|
to be set in both bitmasks to be allowed to get redirected to. */
|
||||||
to all protocols except FILE and SCP. */
|
|
||||||
CINIT(REDIR_PROTOCOLS, LONG, 182),
|
CINIT(REDIR_PROTOCOLS, LONG, 182),
|
||||||
|
|
||||||
/* set the SSH knownhost file name to use */
|
/* set the SSH knownhost file name to use */
|
||||||
|
@ -2374,8 +2374,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
|||||||
case CURLOPT_REDIR_PROTOCOLS:
|
case CURLOPT_REDIR_PROTOCOLS:
|
||||||
/* set the bitmask for the protocols that libcurl is allowed to follow to,
|
/* set the bitmask for the protocols that libcurl is allowed to follow to,
|
||||||
as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
|
as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
|
||||||
to be set in both bitmasks to be allowed to get redirected to. Defaults
|
to be set in both bitmasks to be allowed to get redirected to. */
|
||||||
to all protocols except FILE and SCP. */
|
|
||||||
data->set.redir_protocols = va_arg(param, long);
|
data->set.redir_protocols = va_arg(param, long);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
@ -488,7 +488,8 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
|||||||
define since we internally only use the lower 16 bits for the passed
|
define since we internally only use the lower 16 bits for the passed
|
||||||
in bitmask to not conflict with the private bits */
|
in bitmask to not conflict with the private bits */
|
||||||
set->allowed_protocols = CURLPROTO_ALL;
|
set->allowed_protocols = CURLPROTO_ALL;
|
||||||
set->redir_protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP;
|
set->redir_protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP |
|
||||||
|
CURLPROTO_FTPS;
|
||||||
|
|
||||||
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
||||||
/*
|
/*
|
||||||
|
Loading…
Reference in New Issue
Block a user