granicus.if.org Git - curl/commit

author	Linos Giannopoulos <lgian@skroutz.gr>
	Fri, 5 Jul 2019 14:48:07 +0000 (17:48 +0300)
committer	Daniel Stenberg <daniel@haxx.se>
	Sun, 14 Jul 2019 14:29:55 +0000 (16:29 +0200)
commit	6080ea098d97393da32c6f66eb95c7144620298c
tree	1c4bf7d389268ac150ac88859c52f1d6fb5aee25	tree \| snapshot
parent	7e8f1916d6d90b6b2a68833846a52e1ea9dbb309	commit \| diff

libcurl: Restrict redirect schemes

All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
counterpart were allowed for redirect. This vastly broadens the
exploitation surface in case of a vulnerability such as SSRF [1], where
libcurl-based clients are forced to make requests to arbitrary hosts.

For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP
connection and send the payload.

Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.

[1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/

Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>
Closes #4094