aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authoreldritch horrors <pennae@lix.systems>2024-10-22 18:00:00 +0200
committereldritch horrors <pennae@lix.systems>2024-10-23 11:32:14 +0000
commit67f1aafd610c028b160f2f2ac805e671ed7073de (patch)
treeb3c446132769e130b023642b4d0cb618b7e4a483 /src
parent1d9d40b2a663464f1e6800d6de8df61433507423 (diff)
libstore: restrict curl protocols
previously it was possible to fetchurl a dict server, or an ldap server, or an imap server. this is a bit of a problem, both because rare schemes may not be available on all systems, and because some schemes (e.g. scp) are inherently insecure in potentially surprising ways we needn't allow. Change-Id: I18fc567c6f58c3221b5ea8ce927f4da780057828
Diffstat (limited to 'src')
-rw-r--r--src/libstore/filetransfer.cc2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc
index 34b92148e..acbb042b7 100644
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@@ -282,6 +282,8 @@ struct curlFileTransfer : public FileTransfer
curl_easy_setopt(req, CURLOPT_PROGRESSDATA, this);
curl_easy_setopt(req, CURLOPT_NOPROGRESS, 0);
+ curl_easy_setopt(req, CURLOPT_PROTOCOLS_STR, "http,https,ftp,ftps,file");
+
curl_easy_setopt(req, CURLOPT_HTTPHEADER, requestHeaders);
if (settings.downloadSpeed.get() > 0)