import: turn off weird protocols in curl

Let's lock things down a bit and now allow curl's weirder protocols to be used with our use. i.e. stick to http:// + https:// + file:// and turn everything else off. (Gopher!) This is cde that interfaces with the network after all, and we better shouldn't support protocols needlessly that are much less tested. (Given that HTTP redirects (and other redirects) exist, this should give us a security benefit, since we will then be sure that noone can forward us to a weird protocol, which we never tested, and other people test neither)
2024-11-01 17:51:22 +03:00 · 2021-08-19 18:12:56 +02:00 · 2021-08-19 18:12:56 +02:00 · 55b90ee00b
commit 55b90ee00b
parent ceea13e20f
1 changed files with 3 additions and 0 deletions
--- a/src/import/curl-util.c
+++ b/src/import/curl-util.c
@ -256,6 +256,9 @@ int curl_glue_make(CURL **ret, const char *url, void *userdata) {
        if (curl_easy_setopt(c, CURLOPT_LOW_SPEED_LIMIT, 30L) != CURLE_OK)
                return -EIO;

+        if (curl_easy_setopt(c, CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_FILE) != CURLE_OK)
+                return -EIO;
+
        *ret = TAKE_PTR(c);
        return 0;
 }