WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 117257
[curl] Restrict allowed protocols
https://bugs.webkit.org/show_bug.cgi?id=117257
Summary
[curl] Restrict allowed protocols
Peter Gal
Reported
2013-06-05 08:38:22 PDT
curl supports various protocols (like: HTTP,...,POP3,IMAP...) and by default all of the are enabled for a single curl handle. Furthermore all of the protocols are allowed during location follow. This could pose a security risk for example: a malicious server responds with a crafted Location header pointing to an imap/../(etc) url and the curl backend will follow it and will give the result for the WebCore. The curl API allows protocol restriction, so this feature can be easily implemented. As far as I know other backend only support HTTP, HTTPS, FTP, FTPS and FILE protocols.
Attachments
proposed patch
(2.44 KB, patch)
2013-06-05 08:39 PDT
,
Peter Gal
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Peter Gal
Comment 1
2013-06-05 08:39:37 PDT
Created
attachment 203855
[details]
proposed patch
Brent Fulgham
Comment 2
2013-06-05 14:01:20 PDT
Comment on
attachment 203855
[details]
proposed patch This looks like a very smart change. r=me.
WebKit Commit Bot
Comment 3
2013-06-05 14:30:38 PDT
Comment on
attachment 203855
[details]
proposed patch Clearing flags on attachment: 203855 Committed
r151238
: <
http://trac.webkit.org/changeset/151238
>
WebKit Commit Bot
Comment 4
2013-06-05 14:30:40 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug