ioquake/ioq3
0
0
Fork 0
mirror of https://github.com/ioquake/ioq3.git synced 2024-11-10 07:11:46 +00:00
Code Issues Projects Releases Packages Wiki Activity

Only allow safe protocols for cURL downloads

Browse source 
A malicious server could abuse dangerous protocols such as gopher:// to,
for instance, send mail via SMTP.
This commit is contained in:
Mickaël Thomas 2017-08-16 04:47:27 +02:00 committed by Zack Middleton
parent 9736e7ff91
commit bae86208f9
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
code/client/cl_curl.c
View file

@ -299,6 +299,8 @@ void CL_cURL_BeginDownload( const char *localName, const char *remoteURL )
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_FAILONERROR, 1);
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_FOLLOWLOCATION, 1);
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_MAXREDIRS, 5);
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_PROTOCOLS,
CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP | CURLPROTO_FTPS);
clc.downloadCURLM = qcurl_multi_init();
if(!clc.downloadCURLM) {
qcurl_easy_cleanup(clc.downloadCURL);