Bug 117257

Summary: [curl] Restrict allowed protocols
Product: WebKit Reporter: Peter Gal <galpeter>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 117300    
Attachments:
Description Flags
proposed patch none

Description Peter Gal 2013-06-05 08:38:22 PDT 
curl supports various protocols (like: HTTP,...,POP3,IMAP...) and by default all of the are enabled for a single curl handle. Furthermore all of the protocols are allowed during location follow. This could pose a security risk for example: a malicious server responds with a crafted Location header pointing to an imap/../(etc) url and the curl backend will follow it and will give the result for the WebCore.

The curl API allows protocol restriction, so this feature can be easily implemented. As far as I know other backend only support HTTP, HTTPS, FTP, FTPS and FILE protocols.
Comment 1 Peter Gal 2013-06-05 08:39:37 PDT 
Created attachment 203855 [details]
proposed patch
Comment 2 Brent Fulgham 2013-06-05 14:01:20 PDT 
Comment on attachment 203855 [details]
proposed patch

This looks like a very smart change. r=me.
Comment 3 WebKit Commit Bot 2013-06-05 14:30:38 PDT 
Comment on attachment 203855 [details]
proposed patch

Clearing flags on attachment: 203855

Committed r151238: <http://trac.webkit.org/changeset/151238>
Comment 4 WebKit Commit Bot 2013-06-05 14:30:40 PDT 
All reviewed patches have been landed.  Closing bug.