/ curl Public
libcurl: Restrict redirect schemes #4094
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge.
All protocols except for
CURLPROTO_FILE/CURLPROTO_SMBand their TLS counterpart were allowed for redirects. This vastly broadens the exploitation surface in case of a vulnerability such as SSRF,
where libcurl-based clients are forced to make requests to arbitrary (usually internal) hosts.
CURLPROTO_GOPHERcan be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP connection and send the payload.
An example of what an adversary can do looks like the following:
What this will do is delete the selected (e.g.
some_index) elasticsearch index from the elasticsearch node.
For more information about
gopherand other protocols used in exploitation, refer to this.
Although the official documentation states some issues around these protocols, I believe that the convenience of allowing such redirects is outweighed by the importance they hold for exploitation.
This PR flips the blacklisting logic of only stating which protocols should be denied and makes this a whitelist of only HTTP/HTTPS and FTP/FTPS. This is also "future-proof", so that other newly supported protocols in the future won't bite any unsuspected user, through redirects.
All other protocols have to be explicitly enabled for redirects through
For context there is already a discussion on the curl-library mailing list about this.
Awaiting your comments on this.