Index: docs/libcurl/curl_easy_setopt.3 =================================================================== --- docs/libcurl/curl_easy_setopt.3.orig +++ docs/libcurl/curl_easy_setopt.3 @@ -234,6 +234,26 @@ it, as it doesn't copy the string. \fBNOTE:\fP this option is (the only one) required to be set before \fIcurl_easy_perform(3)\fP is called. + +\fICURLOPT_PROTOCOLS\fP can be used to limit what protocols libcurl will use +for this transfer, independent of what libcurl has been compiled to +support. That may be useful if you accept the URL from an external source and +want to limit the accessibility. +.IP CURLOPT_PROTOCOLS +Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask +limits what protocols libcurl may use in the transfer. This allows you to have +a libcurl built to support a wide range of protocols but still limit specific +transfers to only be allowed to use a subset of them. By default libcurl will +accept all protocols it supports. See also +\fICURLOPT_REDIR_PROTOCOLS\fP. (Added in 7.19.4) +.IP CURLOPT_REDIR_PROTOCOLS +Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask +limits what protocols libcurl may use in a transfer that it follows to in a +redirect when \fICURLOPT_FOLLOWLOCATION\fP is enabled. This allows you to +limit specific transfers to only be allowed to use a subset of protocols in +redirections. By default libcurl will allow all protocols except for FILE. +This is a difference compared to pre-7.19.4 versions which +unconditionally would follow to all protocols supported. (Added in 7.19.4) .IP CURLOPT_PROXY Set HTTP proxy to use. The parameter should be a char * to a zero terminated string holding the host name or dotted IP address. To specify port number in @@ -410,6 +430,10 @@ server sends as part of a HTTP header. new location and follow new Location: headers all the way until no more such headers are returned. \fICURLOPT_MAXREDIRS\fP can be used to limit the number of redirects libcurl will follow. + +NOTE: since 7.19.4, libcurl can limit to what protocols it will automatically +follow. The accepted protocols are set with \fICURLOPT_REDIR_PROTOCOLS\fP and +it excludes the FILE protocol by default. .IP CURLOPT_UNRESTRICTED_AUTH A non-zero parameter tells the library it can continue to send authentication (user+password) when following locations, even when hostname changed. Note Index: include/curl/curl.h =================================================================== --- include/curl/curl.h.orig +++ include/curl/curl.h @@ -265,6 +265,18 @@ typedef enum { CURLFTPSSL_LAST /* not an option, never use */ } curl_ftpssl; +/* CURLPROTO_ defines are for the CURLOPT_*PROTOCOLS options */ +#define CURLPROTO_HTTP (1<<0) +#define CURLPROTO_HTTPS (1<<1) +#define CURLPROTO_FTP (1<<2) +#define CURLPROTO_FTPS (1<<3) +#define CURLPROTO_TELNET (1<<6) +#define CURLPROTO_LDAP (1<<7) +#define CURLPROTO_LDAPS (1<<8) +#define CURLPROTO_DICT (1<<9) +#define CURLPROTO_FILE (1<<10) +#define CURLPROTO_ALL (~0) /* enable everything */ + /* long may be 32 or 64 bits, but we should never depend on anything else but 32 */ #define CURLOPTTYPE_LONG 0 @@ -745,6 +757,18 @@ typedef enum { */ CINIT(FTP_SSL, LONG, 119), + /* set the bitmask for the protocols that are allowed to be used for the + transfer, which thus helps the app which takes URLs from users or other + external inputs and want to restrict what protocol(s) to deal + with. Defaults to CURLPROTO_ALL. */ + CINIT(PROTOCOLS, LONG, 181), + + /* set the bitmask for the protocols that libcurl is allowed to follow to, + as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs + to be set in both bitmasks to be allowed to get redirected to. Defaults + to CURLPROTO_ALL & ~CURLPROTO_FILE. */ + CINIT(REDIR_PROTOCOLS, LONG, 182), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; Index: lib/url.c =================================================================== --- lib/url.c.orig +++ lib/url.c @@ -296,6 +296,13 @@ CURLcode Curl_open(struct SessionHandle data->set.httpauth = CURLAUTH_BASIC; /* defaults to basic authentication */ data->set.proxyauth = CURLAUTH_BASIC; /* defaults to basic authentication */ + /* for the *protocols fields we don't use the CURLPROTO_ALL convenience + define since we internally only use the lower 16 bits for the passed + in bitmask to not conflict with the private bits */ + data->set.allowed_protocols = PROT_EXTMASK | PROT_GOPHER; + data->set.redir_protocols = + (PROT_EXTMASK & ~CURLPROTO_FILE) | PROT_GOPHER; /* not FILE */ + /* create an array with connection data struct pointers */ data->state.numconnects = 5; /* hard-coded right now */ data->state.connects = (struct connectdata **) @@ -1282,6 +1289,22 @@ CURLcode Curl_setopt(struct SessionHandl data->set.max_filesize = va_arg(param, off_t); break; + case CURLOPT_PROTOCOLS: + /* set the bitmask for the protocols that are allowed to be used for the + transfer, which thus helps the app which takes URLs from users or other + external inputs and want to restrict what protocol(s) to deal + with. Defaults to CURLPROTO_ALL. */ + data->set.allowed_protocols = va_arg(param, long) & PROT_EXTMASK; + break; + + case CURLOPT_REDIR_PROTOCOLS: + /* set the bitmask for the protocols that libcurl is allowed to follow to, + as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs + to be set in both bitmasks to be allowed to get redirected to. Defaults + to CURLPROTO_ALL & ~CURLPROTO_FILE. */ + data->set.redir_protocols = va_arg(param, long) & PROT_EXTMASK; + break; + default: /* unknown tag and its companion, just ignore: */ return CURLE_FAILED_INIT; /* correct this */ @@ -2579,8 +2602,6 @@ static CURLcode CreateConnection(struct result = Curl_Transfer(conn, -1, -1, FALSE, NULL, /* no download */ -1, NULL); /* no upload */ } - - return result; #else failf(data, LIBCURL_NAME " was built with FILE disabled!"); @@ -2592,6 +2613,18 @@ static CURLcode CreateConnection(struct failf(data, "Unsupported protocol: %s", conn->protostr); return CURLE_UNSUPPORTED_PROTOCOL; } + /* Protocol found. Check if allowed */ + if(!(data->set.allowed_protocols & conn->protocol) || + /* it is allowed for "normal" request, now do an extra check if this is + the result of a redirect */ + (data->state.this_is_a_follow && + !(data->set.redir_protocols & conn->protocol))) { + failf(data, "Unsupported protocol: %s", conn->protostr); + return CURLE_UNSUPPORTED_PROTOCOL; + } + if (conn->protocol & PROT_FILE) + return result; + /************************************************************* * Figure out the remote port number Index: lib/urldata.h =================================================================== --- lib/urldata.h.orig +++ lib/urldata.h @@ -399,17 +399,27 @@ struct connectdata { struct has */ long protocol; /* PROT_* flags concerning the protocol set */ -#define PROT_MISSING (1<<0) -#define PROT_GOPHER (1<<1) -#define PROT_HTTP (1<<2) -#define PROT_HTTPS (1<<3) -#define PROT_FTP (1<<4) -#define PROT_TELNET (1<<5) -#define PROT_DICT (1<<6) -#define PROT_LDAP (1<<7) -#define PROT_FILE (1<<8) -#define PROT_FTPS (1<<9) -#define PROT_SSL (1<<10) /* protocol requires SSL */ +#define PROT_HTTP CURLPROTO_HTTP +#define PROT_HTTPS CURLPROTO_HTTPS +#define PROT_FTP CURLPROTO_FTP +#define PROT_TELNET CURLPROTO_TELNET +#define PROT_DICT CURLPROTO_DICT +#define PROT_LDAP CURLPROTO_LDAP +#define PROT_FILE CURLPROTO_FILE +#define PROT_FTPS CURLPROTO_FTPS +/* CURLPROTO_TFTP (1<<11) is currently the highest used bit in the public + bitmask. We make sure we use "private bits" above the first 16 to make + things easier. */ + +#define PROT_EXTMASK 0xffff + +#define PROT_SSL (1<<22) /* protocol requires SSL */ +#define PROT_MISSING (1<<23) +/* CURLPROTO_GOPHER is not defined in the 7.19.4 headers, as gopher + support has been dropped long ago. Apps won't be able to explicitly + allow gopher, but that's probably not going to be an issue */ +#define PROT_GOPHER (1<<24) + /* the particular host we use, in two different ways */ struct Curl_dns_entry *connect_addr; @@ -870,6 +880,8 @@ struct UserDefined { bool no_signal; /* do not use any signal/alarm handler */ bool global_dns_cache; + long allowed_protocols; + long redir_protocols; }; /*