117257 2013-06-05 08:38:22 -0700 [curl] Restrict allowed protocols 2013-06-13 06:59:09 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 117300 0 galpeter webkit-unassigned bfulgham commit-queue oldest_to_newest 897429 0 galpeter 2013-06-05 08:38:22 -0700 curl supports various protocols (like: HTTP,...,POP3,IMAP...) and by default all of the are enabled for a single curl handle. Furthermore all of the protocols are allowed during location follow. This could pose a security risk for example: a malicious server responds with a crafted Location header pointing to an imap/../(etc) url and the curl backend will follow it and will give the result for the WebCore. The curl API allows protocol restriction, so this feature can be easily implemented. As far as I know other backend only support HTTP, HTTPS, FTP, FTPS and FILE protocols. 897430 1 203855 galpeter 2013-06-05 08:39:37 -0700 Created attachment 203855 proposed patch 897543 2 203855 bfulgham 2013-06-05 14:01:20 -0700 Comment on attachment 203855 proposed patch This looks like a very smart change. r=me. 897559 3 203855 commit-queue 2013-06-05 14:30:38 -0700 Comment on attachment 203855 proposed patch Clearing flags on attachment: 203855 Committed r151238: <http://trac.webkit.org/changeset/151238> 897560 4 commit-queue 2013-06-05 14:30:40 -0700 All reviewed patches have been landed. Closing bug. 203855 2013-06-05 08:39:37 -0700 2013-06-05 14:30:38 -0700 proposed patch curl_allowed_protocols.patch text/plain 2501 galpeter ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCAwOGE5ZWJlLi42MjNjZjAxIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMjIg QEAKKzIwMTMtMDYtMDUgIFBldGVyIEdhbCAgPGdhbHBldGVyQGluZi51LXN6ZWdlZC5odT4KKwor ICAgICAgICBbY3VybF0gUmVzdHJpY3QgYWxsb3dlZCBwcm90b2NvbHMKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTExNzI1NworCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIGN1cmwgc3VwcG9ydHMgdmFyaW91cyBw cm90b2NvbHMgKGxpa2U6IEhUVFAsLi4uLFBPUDMsSU1BUC4uLikgYW5kIGJ5CisgICAgICAgIGRl ZmF1bHQgYWxsIG9mIHRoZSBhcmUgZW5hYmxlZCBmb3IgYSBzaW5nbGUgY3VybCBoYW5kbGUuIEZ1 cnRoZXJtb3JlCisgICAgICAgIGFsbCBvZiB0aGUgcHJvdG9jb2xzIGFyZSBhbGxvd2VkIGR1cmlu ZyBMb2NhdGlvbiBoZWFkZXIgZm9sbG93LgorICAgICAgICBUaGlzIGNvdWxkIHBvc2UgYSBzZWN1 cml0eSByaXNrIGZvciBleGFtcGxlOiBhIG1hbGljaW91cyBzZXJ2ZXIgcmVzcG9uZHMKKyAgICAg ICAgd2l0aCBhIGNyYWZ0ZWQgTG9jYXRpb24gaGVhZGVyIHBvaW50aW5nIHRvIGFuIGltYXAvLi4v KGV0YykgdXJsIGFuZCB0aGUKKyAgICAgICAgY3VybCBiYWNrZW5kIHdpbGwgZm9sbG93IGl0IGFu ZCB3aWxsIGdpdmUgdGhlIHJlc3VsdCBmb3IgdGhlIFdlYkNvcmUuCisKKyAgICAgICAgVGhpcyBw YXRjaCB3aWxsIHJlc3RyaWN0IHRoZSBhbGxvd2VkIHByb3RvY29scyB0bzogSFRUUChTKSwgRlRQ KFMpLCBGSUxFCisKKyAgICAgICAgKiBwbGF0Zm9ybS9uZXR3b3JrL2N1cmwvUmVzb3VyY2VIYW5k bGVNYW5hZ2VyLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlJlc291cmNlSGFuZGxlTWFuYWdlcjo6 aW5pdGlhbGl6ZUhhbmRsZSk6CisKIDIwMTMtMDYtMDUgIENocmlzdG9waGUgRHVtZXogIDxjaC5k dW1lekBzaXNhLnNhbXN1bmcuY29tPgogCiAgICAgICAgIFVucmV2aWV3ZWQgYnVpbGQgZml4IHdo ZW4gQ0hBTk5FTF9NRVNTQUdJTkcgaXMgZGlzYWJsZWQuCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2Vi Q29yZS9wbGF0Zm9ybS9uZXR3b3JrL2N1cmwvUmVzb3VyY2VIYW5kbGVNYW5hZ2VyLmNwcCBiL1Nv dXJjZS9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvY3VybC9SZXNvdXJjZUhhbmRsZU1hbmFnZXIu Y3BwCmluZGV4IDI1N2I1NzAuLjQzYzU5OTIgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3Bs YXRmb3JtL25ldHdvcmsvY3VybC9SZXNvdXJjZUhhbmRsZU1hbmFnZXIuY3BwCisrKyBiL1NvdXJj ZS9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvY3VybC9SZXNvdXJjZUhhbmRsZU1hbmFnZXIuY3Bw CkBAIC02NTcsNiArNjU3LDcgQEAgdm9pZCBSZXNvdXJjZUhhbmRsZU1hbmFnZXI6OnN0YXJ0Sm9i KFJlc291cmNlSGFuZGxlKiBqb2IpCiAKIHZvaWQgUmVzb3VyY2VIYW5kbGVNYW5hZ2VyOjppbml0 aWFsaXplSGFuZGxlKFJlc291cmNlSGFuZGxlKiBqb2IpCiB7CisgICAgc3RhdGljIGNvbnN0IGlu dCBhbGxvd2VkUHJvdG9jb2xzID0gQ1VSTFBST1RPX0ZJTEUgfCBDVVJMUFJPVE9fRlRQIHwgQ1VS TFBST1RPX0ZUUFMgfCBDVVJMUFJPVE9fSFRUUCB8IENVUkxQUk9UT19IVFRQUzsKICAgICBLVVJM IGt1cmwgPSBqb2ItPmZpcnN0UmVxdWVzdCgpLnVybCgpOwogCiAgICAgLy8gUmVtb3ZlIGFueSBm cmFnbWVudCBwYXJ0LCBvdGhlcndpc2UgY3VybCB3aWxsIHNlbmQgaXQgYXMgcGFydCBvZiB0aGUg cmVxdWVzdC4KQEAgLTcwMCw2ICs3MDEsOCBAQCB2b2lkIFJlc291cmNlSGFuZGxlTWFuYWdlcjo6 aW5pdGlhbGl6ZUhhbmRsZShSZXNvdXJjZUhhbmRsZSogam9iKQogICAgIGN1cmxfZWFzeV9zZXRv cHQoZC0+bV9oYW5kbGUsIENVUkxPUFRfSFRUUEFVVEgsIENVUkxBVVRIX0FOWSk7CiAgICAgY3Vy bF9lYXN5X3NldG9wdChkLT5tX2hhbmRsZSwgQ1VSTE9QVF9TSEFSRSwgbV9jdXJsU2hhcmVIYW5k bGUpOwogICAgIGN1cmxfZWFzeV9zZXRvcHQoZC0+bV9oYW5kbGUsIENVUkxPUFRfRE5TX0NBQ0hF X1RJTUVPVVQsIDYwICogNSk7IC8vIDUgbWludXRlcworICAgIGN1cmxfZWFzeV9zZXRvcHQoZC0+ bV9oYW5kbGUsIENVUkxPUFRfUFJPVE9DT0xTLCBhbGxvd2VkUHJvdG9jb2xzKTsKKyAgICBjdXJs X2Vhc3lfc2V0b3B0KGQtPm1faGFuZGxlLCBDVVJMT1BUX1JFRElSX1BST1RPQ09MUywgYWxsb3dl ZFByb3RvY29scyk7CiAgICAgLy8gRklYTUU6IEVuYWJsZSBTU0wgdmVyaWZpY2F0aW9uIHdoZW4g d2UgaGF2ZSBhIHdheSBvZiBzaGlwcGluZyBjZXJ0cwogICAgIC8vIGFuZC9vciByZXBvcnRpbmcg U1NMIGVycm9ycyB0byB0aGUgdXNlci4KICAgICBpZiAoaWdub3JlU1NMRXJyb3JzKQo=