mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-03-13 15:37:04 +08:00
Code Issues Packages Projects Releases Wiki Activity
curl/lib
History
Linos Giannopoulos 6080ea098d
libcurl: Restrict redirect schemes 
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
counterpart were allowed for redirect. This vastly broadens the
exploitation surface in case of a vulnerability such as SSRF [1], where
libcurl-based clients are forced to make requests to arbitrary hosts.

For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP
connection and send the payload.

Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.

[1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/

Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>

Closes #4094
2019-07-14 16:29:55 +02:00
..
vauth
build: fix Codacy warnings
2019-06-05 20:38:06 +02:00
vtls
openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
2019-07-14 16:24:46 +02:00
.gitattributes
.gitignore
altsvc.c
cleanup: remove FIXME and TODO comments
2019-05-16 09:16:56 +02:00
altsvc.h
alt-svc: the libcurl bits
2019-03-03 11:17:52 +01:00
amigaos.c
configure: add --with-amissl
2019-03-15 10:22:42 +01:00
amigaos.h
configure: add --with-amissl
2019-03-15 10:22:42 +01:00
arpa_telnet.h
travis: add build for "configure --disable-verbose"
2018-10-18 14:51:49 +02:00
asyn-ares.c
c-ares: honor port numbers in CURLOPT_DNS_SERVERS
2019-06-24 15:34:16 +02:00
asyn-thread.c
threaded-resolver: shutdown the resolver thread without error message
2019-03-01 09:31:34 +01:00
asyn.h
curl_multi_remove_handle() don't block terminating c-ares requests
2019-01-07 10:05:20 +01:00
base64.c
base64: build conditionally if there are users
2019-05-13 08:17:09 +02:00
checksrc.pl
checksrc: add COPYRIGHTYEAR check
2018-12-03 23:13:40 +01:00
CMakeLists.txt
CMake: Improve config installation
2018-10-01 16:16:29 -04:00
config-amigaos.h
config-dos.h
whitespace fixes
2018-09-23 22:24:02 +00:00
config-mac.h
config-os400.h
config-os400: add getpeername and getsockname defines
2019-06-18 16:42:51 +02:00
config-riscos.h
config-symbian.h
openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
2019-07-14 16:24:46 +02:00
config-tpf.h
config-vxworks.h
openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
2019-07-14 16:24:46 +02:00
config-win32.h
url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
2019-05-29 07:19:20 +01:00
config-win32ce.h
conncache.c
conncache: Remove the DEBUGASSERT on length check
2019-05-29 22:07:43 +01:00
conncache.h
conncache: make "bundles" per host name when doing proxy tunnels
2019-05-28 16:23:59 +02:00
connect.c
bindlocal: detect and avoid IP version mismatches in bind()
2019-06-10 08:01:50 +02:00
connect.h
cleanup: make local functions static
2019-02-10 18:38:57 +01:00
content_encoding.c
content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
2018-07-12 22:46:15 +02:00
content_encoding.h
cookie.c
lib: Use UTF-8 encoding in comments
2019-07-06 23:25:20 -04:00
cookie.h
altsvc: Fix building with cookies disables
2019-04-20 22:46:21 +02:00
curl_addrinfo.c
memdebug: log pointer before freeing its data
2019-03-12 21:45:03 +01:00
curl_addrinfo.h
memdebug: make debug-specific functions use curl_dbg_ prefix
2019-03-08 23:21:21 +01:00
curl_base64.h
curl_config.h.cmake
openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
2019-07-14 16:24:46 +02:00
curl_ctype.c
URL: fix ASCII dependency in strcpy_url and strlen_url
2018-05-03 15:19:20 +02:00
curl_ctype.h
URL: fix ASCII dependency in strcpy_url and strlen_url
2018-05-03 15:19:20 +02:00
curl_des.c
curl_des.h
curl_endian.c
cleanup: make local functions static
2019-02-10 18:38:57 +01:00
curl_endian.h
headers: Remove no longer exported functions
2019-07-10 19:26:40 +02:00
curl_fnmatch.c
cleanup: remove FIXME and TODO comments
2019-05-16 09:16:56 +02:00
curl_fnmatch.h
curl_get_line.c
altsvc: Fix building with cookies disables
2019-04-20 22:46:21 +02:00
curl_get_line.h
altsvc: Fix building with cookies disables
2019-04-20 22:46:21 +02:00
curl_gethostname.c
curl_gethostname.h
curl_gssapi.c
snprintf: renamed and we now only use msnprintf()
2018-11-23 08:26:51 +01:00
curl_gssapi.h
gssapi: fix deprecated header warnings
2019-02-14 08:38:43 +01:00
curl_hmac.h
curl_ldap.h
whitespace fixes
2018-09-23 22:24:02 +00:00
curl_md4.h
ntlm: Missed pre-processor || (or) during rebase for cd15acd0
2019-04-23 20:26:02 +01:00
curl_md5.h
md5: Update the function signature following d84da52d
2019-04-16 00:08:42 +01:00
curl_memory.h
cleanup: remove FIXME and TODO comments
2019-05-16 09:16:56 +02:00
curl_memrchr.c
Curl_memchr: zero length input can't match
2018-04-24 08:03:23 +02:00
curl_memrchr.h
curl_multibyte.c
curl_multibyte: fix a malloc overcalculation
2018-11-06 03:11:05 -05:00
curl_multibyte.h
curl_ntlm_core.c
build: fix Codacy warnings
2019-06-05 20:38:06 +02:00
curl_ntlm_core.h
ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
2019-04-23 20:00:33 +01:00
curl_ntlm_wb.c
http_ntlm_wb: Handle auth for only a single request
2019-05-18 19:01:11 +01:00
curl_ntlm_wb.h
http_ntlm_wb: Move the type-2 message processing into a dedicated function
2019-05-16 00:03:30 +01:00
curl_path.c
ssh: define USE_SSH if SSH is enabled (any backend)
2019-05-06 10:14:17 +02:00
curl_path.h
headers: end all headers with guard comment
2018-10-23 10:02:24 +02:00
curl_printf.h
snprintf: renamed and we now only use msnprintf()
2018-11-23 08:26:51 +01:00
curl_range.c
Curl_range: fix FTP-only and FILE-only builds
2018-03-11 20:33:04 +01:00
curl_range.h
curl_rtmp.c
urldata: simplify bytecounters
2019-03-01 17:30:34 +01:00
curl_rtmp.h
curl_sasl.c
Revert all SASL authzid (new feature) commits
2019-05-25 23:36:11 +02:00
curl_sasl.h
curl_sec.h
curl_setup_once.h
whitespace fixes
2018-09-23 22:24:02 +00:00
curl_setup.h
wolfssl: refer to it as wolfSSL only
2019-06-10 09:18:16 +02:00
curl_sha256.h
curl_sspi.c
comment: Fix multiple typos in function parameters
2018-10-03 10:27:27 +02:00
curl_sspi.h
curl_threads.c
curl_threads: fix classic MinGW compile break
2018-09-27 09:13:20 +02:00
curl_threads.h
Windows: fixes for MinGW targeting Windows Vista
2018-10-09 08:33:45 +02:00
curlx.h
snprintf: renamed and we now only use msnprintf()
2018-11-23 08:26:51 +01:00
dict.c
urldata: simplify bytecounters
2019-03-01 17:30:34 +01:00
dict.h
doh.c
lib: reduce variable scopes
2019-05-20 08:51:11 +02:00
doh.h
doh: CURL_DISABLE_DOH
2019-05-13 08:17:09 +02:00
dotdot.c
Curl_dedotdotify(): always nul terminate returned string.
2018-09-24 07:48:41 +02:00
dotdot.h
headers: end all headers with guard comment
2018-10-23 10:02:24 +02:00
easy.c
unpause: trigger a timeout for event-based transfers
2019-06-09 18:33:59 +02:00
easyif.h
whitespace fixes
2018-09-23 22:24:02 +00:00
escape.c
snprintf: renamed and we now only use msnprintf()
2018-11-23 08:26:51 +01:00
escape.h
whitespace fixes
2018-09-23 22:24:02 +00:00
file.c
file: fix "Checking if unsigned variable 'readcount' is less than zero."
2019-03-12 21:46:11 +01:00
file.h
whitespace fixes
2018-09-23 22:24:02 +00:00
fileinfo.c
wildcard: disable from build when FTP isn't present
2019-05-13 08:17:09 +02:00
fileinfo.h
ftplistparser: keep state between invokes
2018-04-24 14:23:20 +02:00
firefox-db2pem.sh
whitespace fixes
2018-09-23 22:24:02 +00:00
formdata.c
mime: acknowledge CURL_DISABLE_MIME
2019-05-13 08:17:09 +02:00
formdata.h
mime: acknowledge CURL_DISABLE_MIME
2019-05-13 08:17:09 +02:00
ftp.c
build: fix Codacy warnings
2019-06-05 20:38:06 +02:00
ftp.h
urldata: simplify bytecounters
2019-03-01 17:30:34 +01:00
ftplistparser.c
ftplistparser: fix LGTM alert "Empty block without comment"
2019-04-05 12:56:18 +02:00
ftplistparser.h
getenv.c
getinfo.c
urldata: simplify bytecounters
2019-03-01 17:30:34 +01:00
getinfo.h
gopher.c
gopher: remove check for path == NULL
2019-03-05 08:01:50 +01:00
gopher.h
hash.c
cppcheck: fix warnings
2018-06-11 11:14:48 +02:00
hash.h
multi: fix the transfer hashes in the socket hash entries
2019-06-12 12:31:23 +02:00
hmac.c
checksrc: make sure sizeof() is used *with* parentheses
2018-05-21 23:21:47 +02:00
hostasyn.c
dns: release sharelock as soon as possible
2019-02-11 13:34:11 +01:00
hostcheck.c
lib: reduce variable scopes
2019-05-20 08:51:11 +02:00
hostcheck.h
whitespace fixes
2018-09-23 22:24:02 +00:00
hostip4.c
snprintf: renamed and we now only use msnprintf()
2018-11-23 08:26:51 +01:00
hostip6.c
lib: reduce variable scopes
2019-05-20 08:51:11 +02:00
hostip.c
hostip: CURL_DISABLE_SHUFFLE_DNS
2019-05-17 23:24:34 +02:00
hostip.h
headers: Remove no longer exported functions
2019-07-10 19:26:40 +02:00
hostsyn.c
http2.c
headers: Remove no longer exported functions
2019-07-10 19:26:40 +02:00
http2.h
headers: Remove no longer exported functions
2019-07-10 19:26:40 +02:00
http_chunks.c
ctype: restore character classification for non-ASCII platforms
2018-04-24 14:36:06 +02:00
http_chunks.h
whitespace fixes
2018-09-23 22:24:02 +00:00
http_digest.c
auth: Rename the various authentication clean up functions
2019-05-12 18:37:00 +01:00
http_digest.h
auth: Rename the various authentication clean up functions
2019-05-12 18:37:00 +01:00
http_negotiate.c
http_negotiate: Move the Negotiate state out of the negotiatedata structure
2019-05-15 00:32:42 +01:00
http_negotiate.h
auth: Rename the various authentication clean up functions
2019-05-12 18:37:00 +01:00
http_ntlm.c
http_ntlm: Move the NTLM state out of the ntlmdata structure
2019-05-15 00:31:45 +01:00
http_ntlm.h
auth: Rename the various authentication clean up functions
2019-05-12 18:37:00 +01:00
http_proxy.c
NTLM: reset proxy "multipass" state when CONNECT request is done
2019-06-02 23:11:33 +02:00
http_proxy.h
http.c
http: allow overriding timecond with custom header
2019-07-14 16:17:15 +02:00
http.h
http: allow overriding timecond with custom header
2019-07-14 16:17:15 +02:00
idn_win32.c
if2ip.c
CURLOPT_ADDRESS_SCOPE: fix range check and more
2019-04-13 11:18:55 +02:00
if2ip.h
CURLOPT_ADDRESS_SCOPE: fix range check and more
2019-04-13 11:18:55 +02:00
imap.c
build: fix Codacy warnings
2019-06-05 20:38:06 +02:00
imap.h
imap: change from "FETCH" to "UID FETCH"
2018-09-06 10:57:48 +02:00
inet_ntop.c
snprintf: renamed and we now only use msnprintf()
2018-11-23 08:26:51 +01:00
inet_ntop.h
whitespace fixes
2018-09-23 22:24:02 +00:00
inet_pton.c
lib: reduce variable scopes
2019-05-20 08:51:11 +02:00
inet_pton.h
whitespace fixes
2018-09-23 22:24:02 +00:00
krb5.c
lib: Use UTF-8 encoding in comments
2019-07-06 23:25:20 -04:00
ldap.c
lib: reduce variable scopes
2019-05-20 08:51:11 +02:00
libcurl.plist
libcurl.rc
(lib)curl.rc: fixup for minor bugs
2018-12-10 00:10:04 +01:00
libcurl.vers.in
llist.c
llist.h
whitespace fixes
2018-09-23 22:24:02 +00:00
Makefile.am
makefile: make checksrc and hugefile commands "silent"
2019-03-14 20:11:24 +01:00
makefile.amiga
whitespace fixes
2018-09-23 22:24:02 +00:00
makefile.dj
whitespace fixes
2018-09-23 22:24:02 +00:00
Makefile.inc
wolfssl: refer to it as wolfSSL only
2019-06-10 09:18:16 +02:00
Makefile.m32
whitespace fixes
2018-09-23 22:24:02 +00:00
Makefile.netware
openssl: Remove SSLEAY leftovers
2018-11-17 21:36:10 +01:00
Makefile.vxworks
Makefile.Watcom
openssl: Remove SSLEAY leftovers
2018-11-17 21:36:10 +01:00
md4.c
md4: include the mbedtls config.h to get the MD4 info
2019-05-23 17:06:40 +02:00
md5.c
lib: reduce variable scopes
2019-05-20 08:51:11 +02:00
memdebug.c
lib: reduce variable scopes
2019-05-20 08:51:11 +02:00
memdebug.h
memdebug: make debug-specific functions use curl_dbg_ prefix
2019-03-08 23:21:21 +01:00
mime.c
mime: acknowledge CURL_DISABLE_MIME
2019-05-13 08:17:09 +02:00
mime.h
mime: acknowledge CURL_DISABLE_MIME
2019-05-13 08:17:09 +02:00
mk-ca-bundle.pl
mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
2018-06-14 00:02:20 +02:00
mk-ca-bundle.vbs
spelling fixes
2018-02-23 23:29:01 +00:00
mprintf.c
mprintf: avoid unsigned integer overflow warning
2018-11-02 11:07:04 +01:00
multi.c
multi: enable multiplexing by default (again)
2019-06-23 23:02:23 +02:00
multihandle.h
pipelining: removed
2019-04-06 22:49:50 +02:00
multiif.h
headers: Remove no longer exported functions
2019-07-10 19:26:40 +02:00
netrc.c
netrc: Return the correct error code when out of memory
2019-06-18 21:00:43 +01:00
netrc.h
netrc: CURL_DISABLE_NETRC
2019-05-17 23:24:34 +02:00
non-ascii.c
non-ascii.c: fix typos in comments
2019-02-12 10:24:29 +01:00
non-ascii.h
nonblock.c
nonblock: fix unused parameter warning
2018-10-14 21:07:45 +02:00
nonblock.h
whitespace fixes
2018-09-23 22:24:02 +00:00
nwlib.c
memory: ensure to check allocation results
2018-10-03 23:45:38 +02:00
nwos.c
openldap.c
cleanup: remove FIXME and TODO comments
2019-05-16 09:16:56 +02:00
parsedate.c
parsedate: CURL_DISABLE_PARSEDATE
2019-05-13 08:17:10 +02:00
parsedate.h
whitespace fixes
2018-09-23 22:24:02 +00:00
pingpong.c
pingpong: ignore regular timeout in disconnect phase
2018-12-17 12:33:00 +01:00
pingpong.h
pingpong: ignore regular timeout in disconnect phase
2018-12-17 12:33:00 +01:00
pop3.c
build: fix Codacy warnings
2019-06-05 20:38:06 +02:00
pop3.h
progress.c
configure: --disable-progress-meter
2019-06-18 22:33:26 +02:00
progress.h
whitespace fixes
2018-09-23 22:24:02 +00:00
psl.c
psl: use latest psl and refresh it periodically
2018-05-28 20:37:14 +02:00
psl.h
psl: use latest psl and refresh it periodically
2018-05-28 20:37:14 +02:00
rand.c
PolarSSL: deprecate support step 1. Removed from configure.
2019-05-22 10:00:56 +02:00
rand.h
PolarSSL: deprecate support step 1. Removed from configure.
2019-05-22 10:00:56 +02:00
rtsp.c
http: allow overriding timecond with custom header
2019-07-14 16:17:15 +02:00
rtsp.h
whitespace fixes
2018-09-23 22:24:02 +00:00
security.c
cleanup: fix typo in comment
2019-07-08 13:19:35 +02:00
select.c
cppcheck: fix warnings
2018-06-11 11:14:48 +02:00
select.h
whitespace fixes
2018-09-23 22:24:02 +00:00
sendf.c
WRITEFUNCTION: add missing set_in_callback around callback
2019-05-05 11:09:30 +02:00
sendf.h
travis: add build for "configure --disable-verbose"
2018-10-18 14:51:49 +02:00
setopt.c
os400: make vsetopt() non-static as Curl_vsetopt() for os400 support.
2019-06-16 01:05:53 +02:00
setopt.h
os400: make vsetopt() non-static as Curl_vsetopt() for os400 support.
2019-06-16 01:05:53 +02:00
setup-os400.h
setup-vms.h
sha256.c
http: fix for tiny "HTTP/0.9" response
2018-08-13 23:16:01 +02:00
share.c
psl: use latest psl and refresh it periodically
2018-05-28 20:37:14 +02:00
share.h
psl: use latest psl and refresh it periodically
2018-05-28 20:37:14 +02:00
sigpipe.h
sigpipe: if mbedTLS is used, ignore SIGPIPE
2019-01-28 12:03:33 +01:00
slist.c
whitespace fixes
2018-09-23 22:24:02 +00:00
slist.h
whitespace fixes
2018-09-23 22:24:02 +00:00
smb.c
smb: Use the correct error code for access denied on file open
2019-07-11 02:57:40 -04:00
smb.h
smb: fix memory leak on early failure
2018-07-30 17:59:36 +02:00
smtp.c
build: fix Codacy warnings
2019-06-05 20:38:06 +02:00
smtp.h
sockaddr.h
whitespace fixes
2018-09-23 22:24:02 +00:00
socks_gssapi.c
snprintf: renamed and we now only use msnprintf()
2018-11-23 08:26:51 +01:00
socks_sspi.c
strerror: make the strerror function use local buffers
2019-02-26 10:20:21 +01:00
socks.c
doh: disable DOH for the cases it doesn't work
2019-05-11 11:38:58 +02:00
socks.h
whitespace fixes
2018-09-23 22:24:02 +00:00
speedcheck.c
speedcheck.h
splay.c
cleanup: remove FIXME and TODO comments
2019-05-16 09:16:56 +02:00
splay.h
headers: Remove no longer exported functions
2019-07-10 19:26:40 +02:00
ssh-libssh.c
build: fix Codacy warnings
2019-06-05 20:38:06 +02:00
ssh.c
lib: reduce variable scopes
2019-05-20 08:51:11 +02:00
ssh.h
all: s/int/size_t cleanup
2018-09-01 10:40:42 +02:00
strcase.c
strcase.h
Remove unused definitions
2018-08-21 18:53:43 +02:00
strdup.c
Curl_saferealloc: Fixed typo in docblock
2018-09-21 14:24:55 +02:00
strdup.h
strerror.c
strerror: make the strerror function use local buffers
2019-02-26 10:20:21 +01:00
strerror.h
strerror: make the strerror function use local buffers
2019-02-26 10:20:21 +01:00
strtok.c
strtok.h
strtoofft.c
lib: silence null-dereference warnings
2018-04-09 15:54:52 +02:00
strtoofft.h
system_win32.c
win32: make DLL loading a no-op for UWP
2019-06-25 20:33:07 +02:00
system_win32.h
system_win32: fix clang warning
2019-07-11 02:27:04 -04:00
telnet.c
urldata: simplify bytecounters
2019-03-01 17:30:34 +01:00
telnet.h
whitespace fixes
2018-09-23 22:24:02 +00:00
tftp.c
tftp: use the current blksize for recvfrom()
2019-05-20 07:57:49 +02:00
tftp.h
whitespace fixes
2018-09-23 22:24:02 +00:00
timeval.c
build: fix Codacy/CppCheck warnings
2019-04-11 21:08:44 +02:00
timeval.h
printf: introduce CURL_FORMAT_TIMEDIFF_T
2019-01-04 23:51:13 +01:00
transfer.c
lib: Use UTF-8 encoding in comments
2019-07-06 23:25:20 -04:00
transfer.h
headers: Remove no longer exported functions
2019-07-10 19:26:40 +02:00
url.c
libcurl: Restrict redirect schemes
2019-07-14 16:29:55 +02:00
url.h
headers: Remove no longer exported functions
2019-07-10 19:26:40 +02:00
urlapi-int.h
headers: Remove no longer exported functions
2019-07-10 19:26:40 +02:00
urlapi.c
urlapi: increase supported scheme length to 40 bytes
2019-05-20 15:27:02 +02:00
urldata.h
multi: make sure 'data' can present in several sockhash entries
2019-06-10 00:47:48 +02:00
version.c
version: make ssl_version buffer match for multi_ssl
2019-05-19 22:06:26 +02:00
warnless.c
cleanup: make local functions static
2019-02-10 18:38:57 +01:00
warnless.h
cleanup: make local functions static
2019-02-10 18:38:57 +01:00
wildcard.c
wildcard: disable from build when FTP isn't present
2019-05-13 08:17:09 +02:00
wildcard.h
wildcard: disable from build when FTP isn't present
2019-05-13 08:17:09 +02:00
x509asn1.c
wolfssl: refer to it as wolfSSL only
2019-06-10 09:18:16 +02:00
x509asn1.h
wolfssl: refer to it as wolfSSL only
2019-06-10 09:18:16 +02:00