diff options
| author | Linos Giannopoulos <lgian@skroutz.gr> | 2019-07-05 17:48:07 +0300 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2019-07-14 16:29:55 +0200 |
| commit | 6080ea098d97393da32c6f66eb95c7144620298c (patch) | |
| tree | 1c4bf7d389268ac150ac88859c52f1d6fb5aee25 | |
| parent | 7e8f1916d6d90b6b2a68833846a52e1ea9dbb309 (diff) | |
libcurl: Restrict redirect schemes
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
counterpart were allowed for redirect. This vastly broadens the
exploitation surface in case of a vulnerability such as SSRF [1], where
libcurl-based clients are forced to make requests to arbitrary hosts.
For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP
connection and send the payload.
Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.
[1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>
Closes #4094
| -rw-r--r-- | lib/url.c | 4 |
1 files changed, 1 insertions, 3 deletions
@@ -488,9 +488,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) define since we internally only use the lower 16 bits for the passed in bitmask to not conflict with the private bits */ set->allowed_protocols = CURLPROTO_ALL; - set->redir_protocols = CURLPROTO_ALL & /* All except FILE, SCP and SMB */ - ~(CURLPROTO_FILE | CURLPROTO_SCP | CURLPROTO_SMB | - CURLPROTO_SMBS); + set->redir_protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP; #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) /* |