117257 – [curl] Restrict allowed protocols

Bug 117257 - [curl] Restrict allowed protocols

Summary: [curl] Restrict allowed protocols

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	117300
	Show dependency tree / graph

Reported:	2013-06-05 08:38 PDT by Peter Gal
Modified:	2013-06-13 06:59 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
proposed patch (2.44 KB, patch) 2013-06-05 08:39 PDT, Peter Gal	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Gal 2013-06-05 08:38:22 PDT

curl supports various protocols (like: HTTP,...,POP3,IMAP...) and by default all of the are enabled for a single curl handle. Furthermore all of the protocols are allowed during location follow. This could pose a security risk for example: a malicious server responds with a crafted Location header pointing to an imap/../(etc) url and the curl backend will follow it and will give the result for the WebCore.

The curl API allows protocol restriction, so this feature can be easily implemented. As far as I know other backend only support HTTP, HTTPS, FTP, FTPS and FILE protocols.

Comment 1 Peter Gal 2013-06-05 08:39:37 PDT

Created attachment 203855 [details]
proposed patch

Comment 2 Brent Fulgham 2013-06-05 14:01:20 PDT

Comment on attachment 203855 [details]
proposed patch

This looks like a very smart change. r=me.

Comment 3 WebKit Commit Bot 2013-06-05 14:30:38 PDT

Comment on attachment 203855 [details]
proposed patch

Clearing flags on attachment: 203855

Committed r151238: <http://trac.webkit.org/changeset/151238>

Comment 4 WebKit Commit Bot 2013-06-05 14:30:40 PDT

All reviewed patches have been landed.  Closing bug.