[Pkg-owncloud-commits] [php-sabredav] 220/275: Only accept HTTP and HTTPS as protocol
David Prévot
taffit at moszumanska.debian.org
Thu Sep 25 14:56:11 UTC 2014
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository php-sabredav.
commit c8ca4c25ad98195b8d0f7a1e5c070f7c31a5537d
Author: Lukas Reschke <lukas at owncloud.com>
Date: Thu Sep 11 19:45:34 2014 +0200
Only accept HTTP and HTTPS as protocol
We do not want to follow redirects to other protocols since they might allow an adversary to bypass network restrictions. (i.e. a redirect to ftp:// might be used to access files of a FTP server which might be in a secure zone and not be reachable from the net but from the ownCloud server)
See https://github.com/owncloud/core/pull/11032 for the change in ownCloud and https://github.com/fruux/sabre-http/pull/14 for the PR for sabre-http
---
lib/Sabre/DAV/Client.php | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/Sabre/DAV/Client.php b/lib/Sabre/DAV/Client.php
index 705b321..ba5c472 100644
--- a/lib/Sabre/DAV/Client.php
+++ b/lib/Sabre/DAV/Client.php
@@ -322,6 +322,8 @@ class Client {
// Automatically follow redirects
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_MAXREDIRS => 5,
+ CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
+ CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
);
if($this->verifyPeer !== null) {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/php-sabredav.git
More information about the Pkg-owncloud-commits
mailing list