Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
libcurl: Restrict redirect schemes #4094
All protocols except for
An example of what an adversary can do looks like the following:
For more information about
This PR flips the blacklisting logic of only stating which protocols should be denied and makes this a whitelist of only HTTP/HTTPS and FTP/FTPS. This is also "future-proof", so that other newly supported protocols in the future won't bite any unsuspected user, through redirects.
For context there is already a discussion on the curl-library mailing list about this.
Awaiting your comments on this.