doh: allow only http and https in debug mode

Otherwise curl may be told to use for instance pop3 to communicate with the doh server, which most likely is not what you want. Found through fuzzing. Closes #4406
curl · Sep 23, 2019 · a5bf6a3 · a5bf6a3
1 parent bb74201
commit a5bf6a3
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/lib/doh.c b/lib/doh.c
@@ -264,6 +264,9 @@ static CURLcode dohprobe(struct Curl_easy *data,
 #ifndef CURLDEBUG
     /* enforce HTTPS if not debug */
     ERROR_CHECK_SETOPT(CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
+#else
+    /* in debug mode, also allow http */
+    ERROR_CHECK_SETOPT(CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS);
 #endif
     ERROR_CHECK_SETOPT(CURLOPT_TIMEOUT_MS, (long)timeout_ms);
     if(data->set.verbose)