View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008038 | Taler | auditor | public | 2024-01-08 13:40 | 2024-03-07 20:47 |
| Reporter | fefe | Assigned To | Christian Grothoff | ||
| Priority | normal | Severity | tweak | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | 0.9.3 | ||||
| Target Version | 0.9.4 | Fixed in Version | 0.9.4 | ||
| Summary | 0008038: curl defaults allow redirect to http:// | ||||
| Description | exchange/src/lib/auditor_api_curl_defaults.c sets some libcurl defaults, among them: 40 GNUNET_assert (CURLE_OK == 41 curl_easy_setopt (eh, 42 CURLOPT_FOLLOWLOCATION, 43 1L)); 50 /* limit MAXREDIRS to 5 as a simple security measure against 51 a potential infinite loop caused by a malicious target */ 52 GNUNET_assert (CURLE_OK == 53 curl_easy_setopt (eh, 54 CURLOPT_MAXREDIRS, 55 5L)); Receiving and following a HTTP redirect is expected and supported. However, a redirect could also go to a different URL scheme. Current curl versions support http, https, ftp and ftps. Shouldn't we limit the redirect protocol to https here? | ||||
| Additional Information | This is how you limit the redirect protocol: /* only allow redirects to HTTP and HTTPS URLs */ curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS_STR, "https"); (man CURLOPT_REDIR_PROTOCOLS_STR) | ||||
| Tags | No tags attached. | ||||
|
|
We do want to allow redirects to http as http is frequently used for testing/debugging and we probably should not restrict that. Are you sure your example does allow HTTP? Reading it literally, it would suggest that only HTTPS is allowed.... |
|
|
My example was meant to show how to NOT allow http. I copied it from the man page and forgot to change the comment as well. |
|
|
I see. Well, we should allow http -> http and http->https redirection (so "http,https"), but I guess we might not want "https" redir to "http". |
|
|
Addressed in Git master (commit 02600a748e0262903b23a5b7f9fa5777c5e16aa5). |
|
|
Did a few more updates, new code in src/curl/curl.c, moved there so it can be shared (de-duplication). Also made sure it is portable to older curl versions, plus bugfix. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-01-08 13:40 | fefe | New Issue | |
| 2024-01-08 13:40 | fefe | Status | new => assigned |
| 2024-01-08 13:40 | fefe | Assigned To | => Christian Grothoff |
| 2024-01-08 14:05 | Christian Grothoff | Note Added: 0020823 | |
| 2024-01-08 14:52 | fefe | Note Added: 0020824 | |
| 2024-01-08 14:57 | Christian Grothoff | Note Added: 0020825 | |
| 2024-01-08 15:57 | Christian Grothoff | Note Edited: 0020825 | |
| 2024-01-08 16:07 | Christian Grothoff | Status | assigned => resolved |
| 2024-01-08 16:07 | Christian Grothoff | Resolution | open => fixed |
| 2024-01-08 16:07 | Christian Grothoff | Fixed in Version | => 0.9.4 |
| 2024-01-08 16:07 | Christian Grothoff | Note Added: 0020826 | |
| 2024-01-08 16:07 | Christian Grothoff | Target Version | => 0.9.4 |
| 2024-01-08 16:07 | Christian Grothoff | Severity | minor => tweak |
| 2024-01-08 19:28 | Christian Grothoff | Note Added: 0020833 | |
| 2024-01-18 23:33 | Christian Grothoff | Relationship added | child of 0008112 |
| 2024-03-07 20:47 | Christian Grothoff | Status | resolved => closed |
