1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-24 00:58:48 -05:00

libcurl: Restrict redirect schemes (follow-up)

- Allow FTPS on redirect.

- Update default allowed redirect protocols in documentation.

Follow-up to 6080ea0.

Ref: https://github.com/curl/curl/pull/4094

Closes https://github.com/curl/curl/pull/4115
This commit is contained in:
Jay Satiro 2019-07-16 03:35:54 -04:00
parent 647e726d78
commit e8442e4ffc
7 changed files with 18 additions and 16 deletions

View File

@ -11,7 +11,8 @@ Example, allow only HTTP and HTTPS on redirect:
curl --proto-redir -all,http,https http://example.com curl --proto-redir -all,http,https http://example.com
By default curl will allow all protocols on redirect except several disabled By default curl will allow HTTP, HTTPS, FTP and FTPS on redirect (7.65.2).
for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 Older versions of curl allowed all protocols on redirect except several
SMB and SMBS are also disabled. Specifying \fIall\fP or \fI+all\fP enables all disabled for security reasons: Since 7.19.4 FILE and SCP are disabled, and
protocols on redirect, including those disabled for security. since 7.40.0 SMB and SMBS are also disabled. Specifying \fIall\fP or \fI+all\fP
enables all protocols on redirect, including those disabled for security.

View File

@ -97,8 +97,8 @@ Never ever switch off certificate verification.
The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP
redirects sent by a remote server. These redirects can refer to any kind of redirects sent by a remote server. These redirects can refer to any kind of
URL, not just HTTP. libcurl restricts the protocols allowed to be used in URL, not just HTTP. libcurl restricts the protocols allowed to be used in
redirects for security reasons: only HTTP, HTTPS and FTP are enabled by redirects for security reasons: only HTTP, HTTPS, FTP and FTPS are
default. Applications may opt to restrict thus set further. enabled by default. Applications may opt to restrict that set further.
A redirect to a file: URL would cause the libcurl to read (or write) arbitrary A redirect to a file: URL would cause the libcurl to read (or write) arbitrary
files from the local filesystem. If the application returns the data back to files from the local filesystem. If the application returns the data back to

View File

@ -39,7 +39,8 @@ libcurl will follow.
libcurl limits what protocols it automatically follows to. The accepted libcurl limits what protocols it automatically follows to. The accepted
protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP. By default libcurl protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP. By default libcurl
will allow all protocols on redirect except those disabled for security will allow HTTP, HTTPS, FTP and FTPS on redirect (7.65.2). Older versions of
libcurl allowed all protocols on redirect except those disabled for security
reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 SMB and SMBS reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 SMB and SMBS
are also disabled. are also disabled.

View File

@ -37,10 +37,11 @@ redirections.
Protocols denied by \fICURLOPT_PROTOCOLS(3)\fP are not overridden by this Protocols denied by \fICURLOPT_PROTOCOLS(3)\fP are not overridden by this
option. option.
By default libcurl will allow all protocols on redirect except several disabled By default libcurl will allow HTTP, HTTPS, FTP and FTPS on redirect (7.65.2).
for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 Older versions of libcurl allowed all protocols on redirect except several
SMB and SMBS are also disabled. \fICURLPROTO_ALL\fP enables all protocols on disabled for security reasons: Since 7.19.4 FILE and SCP are disabled, and
redirect, including those disabled for security. since 7.40.0 SMB and SMBS are also disabled. \fICURLPROTO_ALL\fP enables all
protocols on redirect, including those disabled for security.
These are the available protocol defines: These are the available protocol defines:
.nf .nf

View File

@ -1574,8 +1574,7 @@ typedef enum {
/* set the bitmask for the protocols that libcurl is allowed to follow to, /* set the bitmask for the protocols that libcurl is allowed to follow to,
as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
to be set in both bitmasks to be allowed to get redirected to. Defaults to be set in both bitmasks to be allowed to get redirected to. */
to all protocols except FILE and SCP. */
CINIT(REDIR_PROTOCOLS, LONG, 182), CINIT(REDIR_PROTOCOLS, LONG, 182),
/* set the SSH knownhost file name to use */ /* set the SSH knownhost file name to use */

View File

@ -2374,8 +2374,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
case CURLOPT_REDIR_PROTOCOLS: case CURLOPT_REDIR_PROTOCOLS:
/* set the bitmask for the protocols that libcurl is allowed to follow to, /* set the bitmask for the protocols that libcurl is allowed to follow to,
as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
to be set in both bitmasks to be allowed to get redirected to. Defaults to be set in both bitmasks to be allowed to get redirected to. */
to all protocols except FILE and SCP. */
data->set.redir_protocols = va_arg(param, long); data->set.redir_protocols = va_arg(param, long);
break; break;

View File

@ -488,7 +488,8 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
define since we internally only use the lower 16 bits for the passed define since we internally only use the lower 16 bits for the passed
in bitmask to not conflict with the private bits */ in bitmask to not conflict with the private bits */
set->allowed_protocols = CURLPROTO_ALL; set->allowed_protocols = CURLPROTO_ALL;
set->redir_protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP; set->redir_protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP |
CURLPROTO_FTPS;
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
/* /*