diff options
| author | Lennart Poettering <lennart@poettering.net> | 2021-08-19 18:12:56 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-08-20 21:56:00 +0200 |
| commit | 55b90ee00b78a449c8f187a5e8141f8ccb100bf4 (patch) | |
| tree | 92116f11176565cc595f747a50aa27b7b85ccd9d /src/import | |
| parent | Merge pull request #20421 from maanyagoenka/systemd-security (diff) | |
| download | systemd-55b90ee00b78a449c8f187a5e8141f8ccb100bf4.tar.xz systemd-55b90ee00b78a449c8f187a5e8141f8ccb100bf4.zip | |
import: turn off weird protocols in curl
Let's lock things down a bit and now allow curl's weirder protocols to
be used with our use. i.e. stick to http:// + https:// + file:// and
turn everything else off. (Gopher!)
This is cde that interfaces with the network after all, and we better
shouldn't support protocols needlessly that are much less tested.
(Given that HTTP redirects (and other redirects) exist, this should give
us a security benefit, since we will then be sure that noone can forward
us to a weird protocol, which we never tested, and other people test
neither)
Diffstat (limited to 'src/import')
| -rw-r--r-- | src/import/curl-util.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/import/curl-util.c b/src/import/curl-util.c index ed2ac0a654..d6a16b4f57 100644 --- a/src/import/curl-util.c +++ b/src/import/curl-util.c @@ -256,6 +256,9 @@ int curl_glue_make(CURL **ret, const char *url, void *userdata) { if (curl_easy_setopt(c, CURLOPT_LOW_SPEED_LIMIT, 30L) != CURLE_OK) return -EIO; + if (curl_easy_setopt(c, CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_FILE) != CURLE_OK) + return -EIO; + *ret = TAKE_PTR(c); return 0; } |