From bae86208f94499fbd49ac8c87289153ad8169a9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Thomas?= Date: Wed, 16 Aug 2017 04:47:27 +0200 Subject: [PATCH] Only allow safe protocols for cURL downloads A malicious server could abuse dangerous protocols such as gopher:// to, for instance, send mail via SMTP. --- code/client/cl_curl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/code/client/cl_curl.c b/code/client/cl_curl.c index 3ff5a3d8..5384390e 100644 --- a/code/client/cl_curl.c +++ b/code/client/cl_curl.c @@ -299,6 +299,8 @@ void CL_cURL_BeginDownload( const char *localName, const char *remoteURL ) qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_FAILONERROR, 1); qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_FOLLOWLOCATION, 1); qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_MAXREDIRS, 5); + qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_PROTOCOLS, + CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP | CURLPROTO_FTPS); clc.downloadCURLM = qcurl_multi_init(); if(!clc.downloadCURLM) { qcurl_easy_cleanup(clc.downloadCURL);