[ioquake3] 08/34: Only allow safe protocols for cURL downloads
Simon McVittie
smcv at debian.org
Fri Sep 8 10:33:19 UTC 2017
This is an automated email from the git hooks/post-receive script.
smcv pushed a commit to annotated tag debian/1.36+u20170908+dfsg1-1
in repository ioquake3.
commit bae86208f94499fbd49ac8c87289153ad8169a9d
Author: Mickaël Thomas <mickael9 at gmail.com>
Date: Wed Aug 16 04:47:27 2017 +0200
Only allow safe protocols for cURL downloads
A malicious server could abuse dangerous protocols such as gopher:// to,
for instance, send mail via SMTP.
---
code/client/cl_curl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/code/client/cl_curl.c b/code/client/cl_curl.c
index 3ff5a3d..5384390 100644
--- a/code/client/cl_curl.c
+++ b/code/client/cl_curl.c
@@ -299,6 +299,8 @@ void CL_cURL_BeginDownload( const char *localName, const char *remoteURL )
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_FAILONERROR, 1);
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_FOLLOWLOCATION, 1);
qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_MAXREDIRS, 5);
+ qcurl_easy_setopt_warn(clc.downloadCURL, CURLOPT_PROTOCOLS,
+ CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP | CURLPROTO_FTPS);
clc.downloadCURLM = qcurl_multi_init();
if(!clc.downloadCURLM) {
qcurl_easy_cleanup(clc.downloadCURL);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/ioquake3.git
More information about the Pkg-games-commits
mailing list