From ef193efa2f1d6d3d111a082810b5ecc28947d16c Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Mon, 8 Jan 2024 19:18:24 +0100 Subject: improve curl backwards compatibility, de-duplicate code --- src/curl/curl.c | 52 ++++++++++++++++++++++++++++++++++++ src/include/taler_curl_lib.h | 13 +++++++++ src/lib/auditor_api_curl_defaults.c | 24 +++-------------- src/lib/exchange_api_curl_defaults.c | 25 +++-------------- 4 files changed, 71 insertions(+), 43 deletions(-) (limited to 'src') diff --git a/src/curl/curl.c b/src/curl/curl.c index caa0052f7..61a1ca954 100644 --- a/src/curl/curl.c +++ b/src/curl/curl.c @@ -30,6 +30,58 @@ #endif +void +TALER_curl_set_secure_redirect_policy (CURL *eh, + const char *url) +{ + GNUNET_assert (CURLE_OK == + curl_easy_setopt (eh, + CURLOPT_FOLLOWLOCATION, + 1L)); + GNUNET_assert ( (0 == strncasecmp (url, || + "https://", + strlen ("https://"))) || + (0 == strncasecmp (url, + "https://", + strlen ("http://"))) ); +#ifdef CURLOPT_REDIR_PROTOCOLS_STR + if (0 == strncasecmp (url, + "https://", + strlen ("https://"))) + GNUNET_assert (CURLE_OK == + curl_easy_setopt (eh, + CURLOPT_REDIR_PROTOCOLS_STR, + "https")); + else + GNUNET_assert (CURLE_OK == + curl_easy_setopt (eh, + CURLOPT_REDIR_PROTOCOLS_STR, + "http,https")); +#else +#ifdef CURLOPT_REDIR_PROTOCOLS + if (0 == strncasecmp (url, + "https://", + strlen ("https://"))) + GNUNET_assert (CURLE_OK == + curl_easy_setopt (eh, + CURLOPT_REDIR_PROTOCOLS, + CURLPROTO_HTTPS)); + else + GNUNET_assert (CURLE_OK == + curl_easy_setopt (eh, + CURLOPT_REDIR_PROTOCOLS, + CURLPROTO_HTTP | CURLPROTO_HTTPS)); +#endif +#endif + /* limit MAXREDIRS to 5 as a simple security measure against + a potential infinite loop caused by a malicious target */ + GNUNET_assert (CURLE_OK == + curl_easy_setopt (eh, + CURLOPT_MAXREDIRS, + 5L)); +} + + enum GNUNET_GenericReturnValue TALER_curl_easy_post (struct TALER_CURL_PostContext *ctx, CURL *eh, diff --git a/src/include/taler_curl_lib.h b/src/include/taler_curl_lib.h index 04dc20b9e..f108e6158 100644 --- a/src/include/taler_curl_lib.h +++ b/src/include/taler_curl_lib.h @@ -79,4 +79,17 @@ void TALER_curl_easy_post_finished (struct TALER_CURL_PostContext *ctx); +/** + * Set a secure redirection policy, allowing a limited + * number of redirects and only going from HTTP to HTTPS + * but not from HTTPS to HTTP. + * + * @param[in,out] eh easy handle to modify + * @param url URL to base the redirect policy on; + * must start with "http://" or "https://" + */ +void +TALER_curl_set_secure_redirect_policy (CURL *eh, + const char *url); + #endif diff --git a/src/lib/auditor_api_curl_defaults.c b/src/lib/auditor_api_curl_defaults.c index 1565dfdea..a674f5fd2 100644 --- a/src/lib/auditor_api_curl_defaults.c +++ b/src/lib/auditor_api_curl_defaults.c @@ -19,6 +19,7 @@ * @brief curl easy handle defaults * @author Florian Dold */ +#include "taler_curl_lib.h" #include "auditor_api_curl_defaults.h" @@ -37,33 +38,14 @@ TALER_AUDITOR_curl_easy_get_ (const char *url) curl_easy_setopt (eh, CURLOPT_URL, url)); - GNUNET_assert (CURLE_OK == - curl_easy_setopt (eh, - CURLOPT_FOLLOWLOCATION, - 1L)); - if (0 == strcasecmp (url, - "https://")) - GNUNET_assert (CURLE_OK == - curl_easy_setopt (eh, - CURLOPT_REDIR_PROTOCOLS_STR, - "https")); - else - GNUNET_assert (CURLE_OK == - curl_easy_setopt (eh, - CURLOPT_REDIR_PROTOCOLS_STR, - "http,https")); + TALER_curl_set_secure_redirect_policy (eh, + url); /* Enable compression (using whatever curl likes), see https://curl.se/libcurl/c/CURLOPT_ACCEPT_ENCODING.html */ GNUNET_break (CURLE_OK == curl_easy_setopt (eh, CURLOPT_ACCEPT_ENCODING, "")); - /* limit MAXREDIRS to 5 as a simple security measure against - a potential infinite loop caused by a malicious target */ - GNUNET_assert (CURLE_OK == - curl_easy_setopt (eh, - CURLOPT_MAXREDIRS, - 5L)); GNUNET_assert (CURLE_OK == curl_easy_setopt (eh, CURLOPT_TCP_FASTOPEN, diff --git a/src/lib/exchange_api_curl_defaults.c b/src/lib/exchange_api_curl_defaults.c index 907b845bf..68bc360f9 100644 --- a/src/lib/exchange_api_curl_defaults.c +++ b/src/lib/exchange_api_curl_defaults.c @@ -19,7 +19,7 @@ * @brief curl easy handle defaults * @author Florian Dold */ - +#include "taler_curl_lib.h" #include "exchange_api_curl_defaults.h" @@ -38,33 +38,14 @@ TALER_EXCHANGE_curl_easy_get_ (const char *url) curl_easy_setopt (eh, CURLOPT_URL, url)); - GNUNET_assert (CURLE_OK == - curl_easy_setopt (eh, - CURLOPT_FOLLOWLOCATION, - 1L)); - if (0 == strcasecmp (url, - "https://")) - GNUNET_assert (CURLE_OK == - curl_easy_setopt (eh, - CURLOPT_REDIR_PROTOCOLS_STR, - "https")); - else - GNUNET_assert (CURLE_OK == - curl_easy_setopt (eh, - CURLOPT_REDIR_PROTOCOLS_STR, - "http,https")); + TALER_curl_set_secure_redirect_policy (eh, + url); /* Enable compression (using whatever curl likes), see https://curl.se/libcurl/c/CURLOPT_ACCEPT_ENCODING.html */ GNUNET_break (CURLE_OK == curl_easy_setopt (eh, CURLOPT_ACCEPT_ENCODING, "")); - /* limit MAXREDIRS to 5 as a simple security measure against - a potential infinite loop caused by a malicious target */ - GNUNET_assert (CURLE_OK == - curl_easy_setopt (eh, - CURLOPT_MAXREDIRS, - 5L)); GNUNET_assert (CURLE_OK == curl_easy_setopt (eh, CURLOPT_TCP_FASTOPEN, -- cgit v1.2.3