.gear/rules | 2 + .../tags/c40b3253cb9b7c3d77cda15b70438c1bb29b6cc8 | 13 + .gear/tags/list | 1 + curl-config.in | 15 +- curl.spec | 352 ++++++++++++++++++++ docs/libcurl/curl_easy_setopt.3 | 24 ++ include/curl/curl.h | 27 ++ lib/content_encoding.c | 2 +- lib/easy.c | 7 + lib/ssluse.c | 40 ++- lib/url.c | 32 ++ lib/urldata.h | 35 ++- 12 files changed, 511 insertions(+), 39 deletions(-) diff --git a/.gear/rules b/.gear/rules new file mode 100644 index 0000000..0b10e84 --- /dev/null +++ b/.gear/rules @@ -0,0 +1,2 @@ +tar: v@version@:. name=curl-@version@ +diff: v@version@:. . diff --git a/.gear/tags/c40b3253cb9b7c3d77cda15b70438c1bb29b6cc8 b/.gear/tags/c40b3253cb9b7c3d77cda15b70438c1bb29b6cc8 new file mode 100644 index 0000000..8689c7d --- /dev/null +++ b/.gear/tags/c40b3253cb9b7c3d77cda15b70438c1bb29b6cc8 @@ -0,0 +1,13 @@ +object 0c5f8c96c07e96f395c534a7d31a321da2243dcf +type commit +tag v7.17.1 +tagger Anton Farygin 1235642277 +0300 + +7.17.1 +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iEYEABECAAYFAkmmZ6oACgkQqohfd2vlwKtWSACffb9tz/GK6sGigJVI7S1CLYx9 +ji8AnjEsQojW9MikO0oGAmlnHw+DMwqe +=nbuM +-----END PGP SIGNATURE----- diff --git a/.gear/tags/list b/.gear/tags/list new file mode 100644 index 0000000..1d27536 --- /dev/null +++ b/.gear/tags/list @@ -0,0 +1 @@ +c40b3253cb9b7c3d77cda15b70438c1bb29b6cc8 v7.17.1 diff --git a/curl-config.in b/curl-config.in index 20cfc75..ccebd25 100644 --- a/curl-config.in +++ b/curl-config.in @@ -72,7 +72,7 @@ while test $# -gt 0; do ;; --cc) - echo "@CC@" + echo "gcc" ;; --prefix) @@ -189,20 +189,11 @@ while test $# -gt 0; do ;; --libs) - if test "X@libdir@" != "X/usr/lib"; then - CURLLIBDIR="-L@libdir@ " - else - CURLLIBDIR="" - fi - if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then - echo ${CURLLIBDIR}-lcurl @LDFLAGS@ @LIBCURL_LIBS@ @LIBS@ - else - echo ${CURLLIBDIR}-lcurl @LDFLAGS@ @LIBS@ - fi + pkg-config libcurl --libs ;; --static-libs) - echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ @LIBS@ + pkg-config libcurl --libs --static ;; *) diff --git a/curl.spec b/curl.spec new file mode 100644 index 0000000..04fe3e2 --- /dev/null +++ b/curl.spec @@ -0,0 +1,352 @@ +Name: curl +Version: 7.17.1 +Release: alt4.M40.2 + +Summary: Gets a file from a FTP, GOPHER or HTTP server +Summary(ru_RU.UTF-8): Утилиты и библиотеки для передачи файлов +License: MPL or MIT +Group: Networking/File transfer +Url: http://curl.haxx.se + +Source: %url/download/%name-%version.tar +Patch0: %name-%version-%release.patch + +Requires: lib%name = %version-%release + +# Automatically added by buildreq on Fri Feb 09 2007 +BuildRequires: gcc-c++ glibc-devel-static groff-base libidn-devel libssl-devel zlib-devel + +%package -n lib%name +Summary: The shared library for file transfer +Summary(ru_RU.UTF-8): Библиотеки для передачи файлов +Group: System/Libraries +Provides: %name-lib = %version +Obsoletes: %name-lib +Requires: ca-certificates + +%package -n lib%name-devel +Summary: Header files for lib%name +Summary(ru_RU.UTF-8): Заголовочные файлы для lib%name +Group: Development/C +Requires: lib%name = %version-%release libidn-devel libssl-devel zlib-devel +Provides: %name-devel = %version +Obsoletes: %name-devel + +%package -n lib%name-devel-static +Summary: Static libraries for lib%name +Summary(ru_RU.UTF-8): Статические библиотеки для lib%name +Group: Development/C +Requires: lib%name-devel = %version-%release + +%description +Curl is a client to get documents/files from servers, using any of the +supported protocols. The command is designed to work without user +interaction or any kind of interactivity. + +Curl offers a busload of useful tricks like proxy support, user +authentication, ftp upload, HTTP post, file transfer resume and more. + +NOTE: This version is compiled with SSL (https) support. + +%description -l ru_RU.UTF-8 +Curl - это клиент для получения файлов или документов с серверов, используя +один из поддерживаемых протоколов. Команда сделана таким образом, что бы работала +без вмешательства пользователя (или с вмешательством пользователя). + +Curl позволяет делать операции над сетевыми файлами, используя поддержку Прокси, +авторизацию пользователя, докачку файлов и многое другое. + +%description -n lib%name +Lib%name is a library of functions for sending and receiving files through +various protocols, including http and ftp. + +You should install this package if you plan to use any applications that +use lib%name. + +%description -n lib%name -l ru_RU.UTF-8 +Lib%name - это библиотека функций для отправки или получения файлов через +различные сетевые протоколы, включая http и ftp. + +Вам нужно установить этот пакет, если вы планируете использовать приложения +с использованием lib%name. + +%description -n lib%name-devel +Lib%name is a library of functions for sending and receiving files through +various protocols, including http and ftp. + +You should install this package if you wish to develop applications that +utilize lib%name. + +%description -n lib%name-devel -l ru_RU.UTF-8 +Lib%name - это библиотека функций для отправки или получения файлов через +различные сетевые протоколы, включая http и ftp. + +Вам нужно установить этот пакет, если вы планируете разрабатывать приложения +с использованием lib%name. + + +%description -n lib%name-devel-static +Lib%name is a library of functions for sending and receiving files through +various protocols, including http and ftp. + +You should install this package if you wish to develop statically linked +applications that utilize lib%name. + +%description -n lib%name-devel-static -l ru_RU.UTF-8 +Lib%name - это библиотека функций для отправки или получения файлов через +различные сетевые протоколы, включая http и ftp. + +Вам нужно установить этот пакет, если вы планируете разрабатывать статически +скомпилированные приложения с использованием lib%name. + +%prep +%setup -q +%patch0 -p1 + +%build +./buildconf +%configure --with-ssl \ + --with-libidn\ + --enable-ipv6\ + --disable-rpat\ + --disable-ldap\ + --without-gssapi\ + --with-ca-bundle=%_datadir/ca-certificates/ca-bundle.crt + +%make_build + +%install +%make install DESTDIR=$RPM_BUILD_ROOT + +%post -n lib%name -p /sbin/ldconfig +%postun -n lib%name -p /sbin/ldconfig + +%files +%_bindir/curl +%_man1dir/curl.1* + +%files -n lib%name +%_libdir/*.so.* + +%doc CHANGES README* docs/{FAQ,FEATURES} + +%files -n lib%name-devel +%_libdir/*.so +%_libdir/pkgconfig/libcurl.pc +%_bindir/curl-config +%_includedir/* +%_man3dir/* +%_man1dir/curl-config.1* +%doc docs/{THANKS,BUGS,CONTRIBUTE,INTERNALS,MANUAL,RESOURCES,TheArtOfHttpScripting,TODO,examples} + +%files -n lib%name-devel-static +%_libdir/*.a + +%changelog +* Thu Feb 11 2010 Anton Farygin 7.17.1-alt4.M40.2 +- security fix from mainstream (http://curl.haxx.se/docs/adv_20100209.html) + +* Thu Aug 13 2009 Anton Farygin 7.17.1-alt4.M40.1 +- fixed CVE-2009-2417 + +* Thu Feb 26 2009 Anton Farygin 7.17.1-alt3.M40.1 +- fixed CVE-2009-0037 +- use pkg-config in curl-config (backport patch from Sisyphus) + +* Thu Nov 15 2007 Anton Farygin 7.17.1-alt2 +- disabled ldap support + +* Tue Nov 06 2007 Anton Farygin 7.17.1-alt1 +- new version + +* Fri Sep 14 2007 Anton Farygin 7.17.0-alt1 +- new version +- removed patch1 (included to mainstream) +- removed unsused patch0 + +* Tue Sep 11 2007 Anton Farygin 7.16.4-alt2 +- added patch to ftp from sbolshakov@. Fixed anonymous login on some non-standart servers + +* Wed Jul 11 2007 Anton Farygin 7.16.4-alt1 +- new version with security fixes (CVE-2007-3564) +- disabled kerberos support (by requiest from krb5 mantainer) + +* Tue Jul 03 2007 Anton Farygin 7.16.3-alt1 +- new version + +* Thu Apr 12 2007 Anton Farygin 7.16.2-alt1 +- new version + +* Mon Feb 12 2007 Anton Farygin 7.16.1-alt3 +- fixed curl-config --libs and libcurl.pc (unneeded libs removed) + +* Fri Feb 09 2007 Anton Farygin 7.16.1-alt2 +- use ca-certificates +- build with gssapi support +- updated build requires + +* Wed Jan 31 2007 Anton Farygin 7.16.1-alt1 +- new version + +* Tue Jan 09 2007 Anton Farygin 7.16.0-alt1 +- new version (soname changed) + +* Wed Sep 13 2006 Anton Farygin 7.15.5-alt1 +- new version + +* Fri Mar 24 2006 Anton Farygin 7.15.3-alt1 +- new version + +* Fri Oct 14 2005 Anton Farygin 7.15.0-alt1 +- new version + +* Fri Sep 02 2005 Anton Farygin 7.14.1-alt1 +- new version + +* Tue May 17 2005 Anton Farygin 7.14.0-alt1 +- new version + +* Fri May 06 2005 Anton Farygin 7.13.2-alt1 +- new version + +* Fri Mar 04 2005 Anton Farygin 7.13.1-alt1 +- 7.13.1 + +* Mon Feb 07 2005 Anton Farygin 7.13.0-alt2 +- lib%name-devel: added requires to libidn-devel libssl-devel zlib-devel + +* Tue Feb 01 2005 Anton Farygin 7.13.0-alt1 +- new version + +* Tue Jan 18 2005 Anton Farygin 7.12.3-alt1 +- new version + +* Fri Oct 29 2004 Anton Farygin 7.12.2-alt1 +- new version + +* Fri Oct 15 2004 Anton Farygin 7.12.1-alt1 +- new version + +* Mon Apr 26 2004 Anton Farygin 7.11.2-alt1 +- new version + +* Tue Apr 20 2004 Anton Farygin 7.11.1-alt1 +- new version + +* Thu Mar 18 2004 Anton Farygin 7.11.0-alt1 +- new version + +* Sun Dec 14 2003 Rider 7.10.8-alt1 +- new version + +* Wed Apr 30 2003 Rider 7.10.4-alt1 +- 7.10.4 + +* Mon Mar 31 2003 Rider 7.10.3-alt1 +- 7.10.3 + +* Fri Nov 22 2002 Rider 7.10.2-alt1 +- new version + +* Fri Oct 04 2002 Rider 7.10-alt1 +- 7.10 + +* Fri Jun 14 2002 Rider 7.9.8-alt1 +- 7.9.8 + +* Sat Jun 01 2002 Rider 7.9.7-alt1 +- 7.9.7 + +* Sat Apr 27 2002 Rider 7.9.6-alt1 +- 7.9.6 + +* Wed Mar 27 2002 Rider 7.9.5-alt1 +- 7.9.5 + +* Sat Feb 09 2002 Rider 7.9.4-alt1 +- 7.9.4 + +* Thu Jan 03 2002 Rider 7.9.2-alt1 +- 7.9.2 +- russian summary and description + +* Tue Oct 09 2001 Rider 7.9-alt1 +- 7.9 + +* Fri Aug 24 2001 Rider 7.8.1-alt1 +- 7.8.1 + +* Tue May 22 2001 Alexander Bokovoy 7.7.3-alt2 +- Fixed: + + curl-config moved to libcurl-devel + + curl-config(1) moved to libcurl-devel + +* Tue May 08 2001 Rider 7.7.3-alt1 +- 7.7.3 + +* Wed Apr 25 2001 Rider 7.7.2-alt1 +- 7.7.2 + +* Thu Apr 05 2001 Rider 7.7.1-alt1 +- 7.7.1 + +* Sun Jan 28 2001 Dmitry V. Levin 7.6-ipl1mdk +- 7.6 + +* Sun Jan 21 2001 Dmitry V. Levin 7.5.2-ipl2mdk +- RE adaptions. + +* Tue Jan 9 2001 DindinX 7.5.2-2mdk +- change lisence, according to the author's will (reported by F. Crozat) +- added some sample codes to the -devel package + +* Tue Jan 9 2001 DindinX 7.5.2-1mdk +- 7.5.2 +- small spec updates + +* Mon Dec 18 2000 DindinX 7.5.1-2mdk +- corrected URL + +* Wed Dec 13 2000 DindinX 7.5.1-1mdk +- 7.5.1 + +* Thu Dec 07 2000 Geoffrey lee 7.5-2mdk +- manually include fcntl.h, strangely, it has been left out (sucky!!!). + +* Mon Dec 04 2000 Geoffrey lee 7.5-1mdk +- new and shiny source. +- requires: curl = %%version + +* Wed Nov 15 2000 Geoffrey Lee 7.4.2-5mdk +- really 7.4.2. +- well we compile with ssl now, so obviously description is wrong (daoudascks) + +* Mon Nov 13 2000 Daouda Lo 7.4.2-4mdk +- compiled with ssl (from TitiSux) + +* Mon Nov 13 2000 Daouda Lo 7.4.2-3mdk +- relase pre4. + +* Fri Nov 10 2000 Lenny Cartier 7.4.2-2mdk +- fiw requires + +* Tue Nov 07 2000 Daouda Lo 7.4.2-1mdk +- new release + +* Fri Nov 03 2000 DindinX 7.4.1-1mdk +- 7.4.1 + +* Mon Aug 28 2000 Lenny Cartier 7.1-1mdk +- used srpm from Anton Graham : + - new version + - new -lib and -devel packages + +* Mon Aug 28 2000 Lenny Cartier 6.5.2-3mdk +- change description +- clean spec + +* Tue Jul 11 2000 Anton Graham 6.5.2-2mdk +- Macroification + +* Wed May 03 2000 Anton Graham 6.5.2-1mdk +- First Mandrake build diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index e78e200..57b4cf0 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -400,6 +400,26 @@ The string given to CURLOPT_URL must be url-encoded and following the RFC 2396 \fICURLOPT_URL\fP is the only option that \fBmust\fP be set before \fIcurl_easy_perform(3)\fP is called. + +\fICURLOPT_PROTOCOLS\fP can be used to limit what protocols libcurl will use +for this transfer, independent of what libcurl has been compiled to +support. That may be useful if you accept the URL from an external source and +want to limit the accessibility. +.IP CURLOPT_PROTOCOLS +Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask +limits what protocols libcurl may use in the transfer. This allows you to have +a libcurl built to support a wide range of protocols but still limit specific +transfers to only be allowed to use a subset of them. By default libcurl will +accept all protocols it supports. See also +\fICURLOPT_REDIR_PROTOCOLS\fP. (Added in 7.19.4) +.IP CURLOPT_REDIR_PROTOCOLS +Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask +limits what protocols libcurl may use in a transfer that it follows to in a +redirect when \fICURLOPT_FOLLOWLOCATION\fP is enabled. This allows you to +limit specific transfers to only be allowed to use a subset of protocols in +redirections. By default libcurl will allow all protocols except for FILE and +SCP. This is a difference compared to pre-7.19.4 versions which +unconditionally would follow to all protocols supported. (Added in 7.19.4) .IP CURLOPT_PROXY Set HTTP proxy to use. The parameter should be a char * to a zero terminated string holding the host name or dotted IP address. To specify port number in @@ -631,6 +651,10 @@ This means that the library will re-send the same request on the new location and follow new Location: headers all the way until no more such headers are returned. \fICURLOPT_MAXREDIRS\fP can be used to limit the number of redirects libcurl will follow. + +NOTE: since 7.19.4, libcurl can limit to what protocols it will automatically +follow. The accepted protocols are set with \fICURLOPT_REDIR_PROTOCOLS\fP and +it excludes the FILE protocol by default. .IP CURLOPT_UNRESTRICTED_AUTH A non-zero parameter tells the library it can continue to send authentication (user+password) when following locations, even when hostname changed. This diff --git a/include/curl/curl.h b/include/curl/curl.h index 77a38f8..2a2f732 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -558,6 +558,21 @@ typedef enum { CURLFTPMETHOD_LAST /* not an option, never use */ } curl_ftpmethod; +/* CURLPROTO_ defines are for the CURLOPT_*PROTOCOLS options */ +#define CURLPROTO_HTTP (1<<0) +#define CURLPROTO_HTTPS (1<<1) +#define CURLPROTO_FTP (1<<2) +#define CURLPROTO_FTPS (1<<3) +#define CURLPROTO_SCP (1<<4) +#define CURLPROTO_SFTP (1<<5) +#define CURLPROTO_TELNET (1<<6) +#define CURLPROTO_LDAP (1<<7) +#define CURLPROTO_LDAPS (1<<8) +#define CURLPROTO_DICT (1<<9) +#define CURLPROTO_FILE (1<<10) +#define CURLPROTO_TFTP (1<<11) +#define CURLPROTO_ALL (~0) /* enable everything */ + /* long may be 32 or 64 bits, but we should never depend on anything else but 32 */ #define CURLOPTTYPE_LONG 0 @@ -1159,6 +1174,18 @@ typedef enum { /* POST volatile input fields. */ CINIT(COPYPOSTFIELDS, OBJECTPOINT, 165), + /* set the bitmask for the protocols that are allowed to be used for the + transfer, which thus helps the app which takes URLs from users or other + external inputs and want to restrict what protocol(s) to deal + with. Defaults to CURLPROTO_ALL. */ + CINIT(PROTOCOLS, LONG, 181), + + /* set the bitmask for the protocols that libcurl is allowed to follow to, + as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs + to be set in both bitmasks to be allowed to get redirected to. Defaults + to CURLPROTO_ALL & ~CURLPROTO_FILE. */ + CINIT(REDIR_PROTOCOLS, LONG, 182), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/lib/content_encoding.c b/lib/content_encoding.c index 0366bce..92175fa 100644 --- a/lib/content_encoding.c +++ b/lib/content_encoding.c @@ -40,7 +40,7 @@ (doing so will reduce code size slightly). */ #define OLD_ZLIB_SUPPORT 1 -#define DSIZ 0x10000 /* buffer size for decompressed data */ +#define DSIZ CURL_MAX_WRITE_SIZE /* buffer size for decompressed data */ #define GZIP_MAGIC_0 0x1f #define GZIP_MAGIC_1 0x8b diff --git a/lib/easy.c b/lib/easy.c index 97376c6..9a95a1d 100644 --- a/lib/easy.c +++ b/lib/easy.c @@ -742,6 +742,13 @@ void curl_easy_reset(CURL *curl) type */ data->set.new_file_perms = 0644; /* Default permissions */ data->set.new_directory_perms = 0755; /* Default permissions */ + + /* for the *protocols fields we don't use the CURLPROTO_ALL convenience + define since we internally only use the lower 16 bits for the passed + in bitmask to not conflict with the private bits */ + data->set.allowed_protocols = PROT_EXTMASK; + data->set.redir_protocols = + PROT_EXTMASK & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */ } #ifdef CURL_DOES_CONVERSIONS diff --git a/lib/ssluse.c b/lib/ssluse.c index c568d9e..6be11ed 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1028,7 +1028,7 @@ static CURLcode verifyhost(struct connectdata *conn, if(check->type == target) { /* get data and length */ const char *altptr = (char *)ASN1_STRING_data(check->d.ia5); - int altlen; + size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5); switch(target) { case GEN_DNS: /* name/pattern comparison */ @@ -1042,14 +1042,16 @@ static CURLcode verifyhost(struct connectdata *conn, "I checked the 0.9.6 and 0.9.8 sources before my patch and it always 0-terminates an IA5String." */ - if (cert_hostcheck(altptr, conn->host.name)) + if((altlen == strlen(altptr)) && + /* if this isn't true, there was an embedded zero in the name + string and we cannot match it. */ + cert_hostcheck(altptr, conn->host.name)) matched = TRUE; break; case GEN_IPADD: /* IP address comparison */ /* compare alternative IP address if the data chunk is the same size our server IP address is */ - altlen = ASN1_STRING_length(check->d.ia5); if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) matched = TRUE; break; @@ -1089,18 +1091,27 @@ static CURLcode verifyhost(struct connectdata *conn, string manually to avoid the problem. This code can be made conditional in the future when OpenSSL has been fixed. Work-around brought by Alexis S. L. Carvalho. */ - if (tmp && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) { - j = ASN1_STRING_length(tmp); - if (j >= 0) { - peer_CN = OPENSSL_malloc(j+1); - if (peer_CN) { - memcpy(peer_CN, ASN1_STRING_data(tmp), j); - peer_CN[j] = '\0'; + if(tmp) { + if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) { + j = ASN1_STRING_length(tmp); + if(j >= 0) { + peer_CN = OPENSSL_malloc(j+1); + if(peer_CN) { + memcpy(peer_CN, ASN1_STRING_data(tmp), j); + peer_CN[j] = '\0'; + } } } + else /* not a UTF8 name */ + j = ASN1_STRING_to_UTF8(&peer_CN, tmp); + + if(peer_CN && ((int)strlen((char *)peer_CN) != j)) { + /* there was a terminating zero before the end of string, this + cannot match and we return failure! */ + failf(data, "SSL: illegal cert name field"); + res = CURLE_SSL_PEER_CERTIFICATE; + } } - else /* not a UTF8 name */ - j = ASN1_STRING_to_UTF8(&peer_CN, tmp); } if (peer_CN == nulstr) @@ -1118,7 +1129,10 @@ static CURLcode verifyhost(struct connectdata *conn, } #endif /* CURL_DOES_CONVERSIONS */ - if (!peer_CN) { + if(res) + /* error already detected, pass through */ + ; + else if(!peer_CN) { failf(data, "SSL: unable to obtain common name from peer certificate"); return CURLE_PEER_FAILED_VERIFICATION; diff --git a/lib/url.c b/lib/url.c index 15438af..75c8db4 100644 --- a/lib/url.c +++ b/lib/url.c @@ -726,6 +726,13 @@ CURLcode Curl_open(struct SessionHandle **curl) data->set.new_file_perms = 0644; /* Default permissions */ data->set.new_directory_perms = 0755; /* Default permissions */ + /* for the *protocols fields we don't use the CURLPROTO_ALL convenience + define since we internally only use the lower 16 bits for the passed + in bitmask to not conflict with the private bits */ + data->set.allowed_protocols = PROT_EXTMASK; + data->set.redir_protocols = + PROT_EXTMASK & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */ + /* most recent connection is not yet defined */ data->state.lastconnect = -1; @@ -2038,6 +2045,22 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, data->set.new_directory_perms = va_arg(param, long); break; + case CURLOPT_PROTOCOLS: + /* set the bitmask for the protocols that are allowed to be used for the + transfer, which thus helps the app which takes URLs from users or other + external inputs and want to restrict what protocol(s) to deal + with. Defaults to CURLPROTO_ALL. */ + data->set.allowed_protocols = va_arg(param, long) & PROT_EXTMASK; + break; + + case CURLOPT_REDIR_PROTOCOLS: + /* set the bitmask for the protocols that libcurl is allowed to follow to, + as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs + to be set in both bitmasks to be allowed to get redirected to. Defaults + to CURLPROTO_ALL & ~CURLPROTO_FILE. */ + data->set.redir_protocols = va_arg(param, long) & PROT_EXTMASK; + break; + default: /* unknown tag and its companion, just ignore: */ result = CURLE_FAILED_INIT; /* correct this */ @@ -3632,6 +3655,15 @@ static CURLcode CreateConnection(struct SessionHandle *data, if (result != CURLE_OK) return result; } + /* Protocol found. Check if allowed */ + if(!(data->set.allowed_protocols & conn->protocol) || + /* it is allowed for "normal" request, now do an extra check if this is + the result of a redirect */ + (data->state.this_is_a_follow && + !(data->set.redir_protocols & conn->protocol))) { + failf(data, "Unsupported protocol: %s", conn->protostr); + return CURLE_UNSUPPORTED_PROTOCOL; + } /*********************************************************************** diff --git a/lib/urldata.h b/lib/urldata.h index a5157d3..e31a0f8 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -892,19 +892,26 @@ struct connectdata { long connectindex; /* what index in the connection cache connects index this particular struct has */ long protocol; /* PROT_* flags concerning the protocol set */ -#define PROT_MISSING (1<<0) -#define PROT_HTTP (1<<2) -#define PROT_HTTPS (1<<3) -#define PROT_FTP (1<<4) -#define PROT_TELNET (1<<5) -#define PROT_DICT (1<<6) -#define PROT_LDAP (1<<7) -#define PROT_FILE (1<<8) -#define PROT_FTPS (1<<9) -#define PROT_SSL (1<<10) /* protocol requires SSL */ -#define PROT_TFTP (1<<11) -#define PROT_SCP (1<<12) -#define PROT_SFTP (1<<13) +#define PROT_HTTP CURLPROTO_HTTP +#define PROT_HTTPS CURLPROTO_HTTPS +#define PROT_FTP CURLPROTO_FTP +#define PROT_TELNET CURLPROTO_TELNET +#define PROT_DICT CURLPROTO_DICT +#define PROT_LDAP CURLPROTO_LDAP +#define PROT_FILE CURLPROTO_FILE +#define PROT_FTPS CURLPROTO_FTPS +#define PROT_TFTP CURLPROTO_TFTP +#define PROT_SCP CURLPROTO_SCP +#define PROT_SFTP CURLPROTO_SFTP + +/* CURLPROTO_TFTP (1<<11) is currently the highest used bit in the public + bitmask. We make sure we use "private bits" above the first 16 to make + things easier. */ + +#define PROT_EXTMASK 0xfff + +#define PROT_SSL (1<<22) /* protocol requires SSL */ +#define PROT_MISSING (1<<23) #define PROT_CLOSEACTION PROT_FTP /* these ones need action before socket close */ @@ -1459,6 +1466,8 @@ struct UserDefined { content-encoded (chunked, compressed) */ long new_file_perms; /* Permissions to use when creating remote files */ long new_directory_perms; /* Permissions to use when creating remote dirs */ + long allowed_protocols; + long redir_protocols; char *str[STRING_LAST]; /* array of strings, pointing to allocated memory */ };