ioquake
/
ioq3
mirror of https://github.com/ioquake/ioq3.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Only allow safe protocols for cURL downloads 

A malicious server could abuse dangerous protocols such as gopher:// to,
for instance, send mail via SMTP.
This commit is contained in:
Mickaël Thomas 2017-08-16 04:47:27 +02:00 committed by Zack Middleton
parent 9736e7ff91
commit bae86208f9
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
code/client/cl_curl.c
View File

@ -299,6 +299,8 @@ void CL_cURL_BeginDownload( const char *localName, const char *remoteURL )
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_FAILONERROR, 1);
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_FOLLOWLOCATION, 1);
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_MAXREDIRS, 5);
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_PROTOCOLS,
CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP | CURLPROTO_FTPS);
clc.downloadCURLM = qcurl_multi_init();
if(!clc.downloadCURLM) {
qcurl_easy_cleanup(clc.downloadCURL);