View Issue Details

IDProjectCategoryView StatusLast Update
0008038Talerauditorpublic2024-03-07 20:47
Reporterfefe Assigned ToChristian Grothoff  
PrioritynormalSeveritytweakReproducibilityhave not tried
Status closedResolutionfixed 
Product Version0.9.3 
Target Version0.9.4Fixed in Version0.9.4 
Summary0008038: curl defaults allow redirect to http://
Descriptionexchange/src/lib/auditor_api_curl_defaults.c sets some libcurl defaults, among them:

 40 GNUNET_assert (CURLE_OK ==
 41 curl_easy_setopt (eh,
 43 1L));

 50 /* limit MAXREDIRS to 5 as a simple security measure against
 51 a potential infinite loop caused by a malicious target */
 52 GNUNET_assert (CURLE_OK ==
 53 curl_easy_setopt (eh,
 55 5L));

Receiving and following a HTTP redirect is expected and supported.
However, a redirect could also go to a different URL scheme. Current curl versions support http, https, ftp and ftps.

Shouldn't we limit the redirect protocol to https here?
Additional InformationThis is how you limit the redirect protocol:

         /* only allow redirects to HTTP and HTTPS URLs */
         curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS_STR, "https");

TagsNo tags attached.


child of 0008112 assignedfefe Merchant security review 


Christian Grothoff

2024-01-08 14:05

manager   ~0020823

We do want to allow redirects to http as http is frequently used for testing/debugging and we probably should not restrict that.
Are you sure your example does allow HTTP? Reading it literally, it would suggest that only HTTPS is allowed....


2024-01-08 14:52

developer   ~0020824

My example was meant to show how to NOT allow http.
I copied it from the man page and forgot to change the comment as well.

Christian Grothoff

2024-01-08 14:57

manager   ~0020825

Last edited: 2024-01-08 15:57

I see. Well, we should allow http -> http and http->https redirection (so "http,https"), but I guess we might not want "https" redir to "http".

Christian Grothoff

2024-01-08 16:07

manager   ~0020826

Addressed in Git master (commit 02600a748e0262903b23a5b7f9fa5777c5e16aa5).

Christian Grothoff

2024-01-08 19:28

manager   ~0020833

Did a few more updates, new code in src/curl/curl.c, moved there so it can be shared (de-duplication). Also made sure it is portable to older curl versions, plus bugfix.

Issue History

Date Modified Username Field Change
2024-01-08 13:40 fefe New Issue
2024-01-08 13:40 fefe Status new => assigned
2024-01-08 13:40 fefe Assigned To => Christian Grothoff
2024-01-08 14:05 Christian Grothoff Note Added: 0020823
2024-01-08 14:52 fefe Note Added: 0020824
2024-01-08 14:57 Christian Grothoff Note Added: 0020825
2024-01-08 15:57 Christian Grothoff Note Edited: 0020825
2024-01-08 16:07 Christian Grothoff Status assigned => resolved
2024-01-08 16:07 Christian Grothoff Resolution open => fixed
2024-01-08 16:07 Christian Grothoff Fixed in Version => 0.9.4
2024-01-08 16:07 Christian Grothoff Note Added: 0020826
2024-01-08 16:07 Christian Grothoff Target Version => 0.9.4
2024-01-08 16:07 Christian Grothoff Severity minor => tweak
2024-01-08 19:28 Christian Grothoff Note Added: 0020833
2024-01-18 23:33 Christian Grothoff Relationship added child of 0008112
2024-03-07 20:47 Christian Grothoff Status resolved => closed