From 67f1aafd610c028b160f2f2ac805e671ed7073de Mon Sep 17 00:00:00 2001
From: eldritch horrors <pennae@lix.systems>
Date: Tue, 22 Oct 2024 18:00:00 +0200
Subject: libstore: restrict curl protocols

previously it was possible to fetchurl a dict server, or an ldap server,
or an imap server. this is a bit of a problem, both because rare schemes
may not be available on all systems, and because some schemes (e.g. scp)
are inherently insecure in potentially surprising ways we needn't allow.

Change-Id: I18fc567c6f58c3221b5ea8ce927f4da780057828
---
 src/libstore/filetransfer.cc | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/libstore/filetransfer.cc')

diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc
index 34b92148e..acbb042b7 100644
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@@ -282,6 +282,8 @@ struct curlFileTransfer : public FileTransfer
             curl_easy_setopt(req, CURLOPT_PROGRESSDATA, this);
             curl_easy_setopt(req, CURLOPT_NOPROGRESS, 0);
 
+            curl_easy_setopt(req, CURLOPT_PROTOCOLS_STR, "http,https,ftp,ftps,file");
+
             curl_easy_setopt(req, CURLOPT_HTTPHEADER, requestHeaders);
 
             if (settings.downloadSpeed.get() > 0)
-- 
cgit v1.2.3