debuginfod-client: Stick to http:// + https:// + file:// protocols

Make sure we don't use any of the more experimental protocols
libcurl might support. URLs can be redirected and we might want
to follow http -> https, but not e.g. gopher or pop3.

Suggested-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Signed-off-by: Mark Wielaard <mark@klomp.org>

diff --git a/debuginfod/ChangeLog b/debuginfod/ChangeLog
index de833f7..a91749e 100644 (file)
--- a/debuginfod/ChangeLog
+++ b/debuginfod/ChangeLog
@@ -1,3 +1,8 @@
+2021-10-15  Mark Wielaard  <mark@klomp.org>
+
+       * debuginfod-client.c (debuginfod_query_server): Set
+       CURLOPT_PROTOCOLS.
+
 2021-10-06  Di Chen <dichen@redhat.com>
 
        PR28242

diff --git a/debuginfod/debuginfod-client.c b/debuginfod/debuginfod-client.c
index 88e4556..bd947ae 100644 (file)
--- a/debuginfod/debuginfod-client.c
+++ b/debuginfod/debuginfod-client.c
@@ -973,6 +973,10 @@ debuginfod_query_server (debuginfod_client *c,
       if (vfd >= 0)
        dprintf (vfd, "url %d %s\n", i, data[i].url);
 
+      /* Only allow http:// + https:// + file:// so we aren't being
+        redirected to some unsupported protocol.  */
+      curl_easy_setopt(data[i].handle, CURLOPT_PROTOCOLS,
+                      CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FILE);
       curl_easy_setopt(data[i].handle, CURLOPT_URL, data[i].url);
       if (vfd >= 0)
        curl_easy_setopt(data[i].handle, CURLOPT_ERRORBUFFER, data[i].errbuf);