Skip to content

fix(proxy): refuse tunneling non-HTTP protocols through HTTP proxy#120

Merged
jonwiggins merged 2 commits intomainfrom
optio/task-64b044bd-c0e5-4d49-81e2-7ca7f2e71d4d
Mar 28, 2026
Merged

fix(proxy): refuse tunneling non-HTTP protocols through HTTP proxy#120
jonwiggins merged 2 commits intomainfrom
optio/task-64b044bd-c0e5-4d49-81e2-7ca7f2e71d4d

Conversation

@jonwiggins
Copy link
Copy Markdown
Owner

@jonwiggins jonwiggins commented Mar 28, 2026
edited
Loading

Summary

  • When -p (proxytunnel) is active with an HTTP proxy, all protocols now attempt a CONNECT tunnel through the proxy before protocol-specific handling, matching curl's behavior
  • Added is_http_proxy_tunnel() accessor on Easy for CLI tunnel-bypass logic
  • CLI scheme validation now bypasses protocol checks when proxy tunnel is active, allowing any protocol to be tunneled
  • Added default port mappings for dict, imap, mqtt, pop3, smtp, telnet and their TLS variants
  • Added gopher, rtsp, ldap, smb to the supported protocol list in the CLI
  • Fixed RTSP early dispatch path to also attempt CONNECT tunnel (RTSP bypasses do_single_request)
  • Fixed FTPS proxy tunnel handling by routing it through the generic CONNECT tunnel code

Test plan

  • Curl test 445 passes ("Refuse tunneling protocols through HTTP proxy")
  • All 16 protocols in test 445 correctly attempt CONNECT tunnel and receive error 56
  • Proxy tunnel tests 1319-1321, FTP proxy tests 79/208/275/299/706-715/1021/1078 pass
  • No regressions in tests 1-50, 100-120, 440-450, 700-720, 1050-1060
  • cargo fmt, cargo clippy, cargo test all pass

🤖 Generated with Claude Code

Optio Agent and others added 2 commits March 28, 2026 00:35
@claude
fix(proxy): refuse tunneling non-HTTP protocols through HTTP proxy
7457925 
When --proxytunnel (-p) is set with an HTTP proxy, all protocols must
attempt a CONNECT tunnel through the proxy before protocol-specific
handling. Previously, non-HTTP protocols either failed with URL parse
errors (missing default ports) or were rejected as unsupported before
reaching the proxy tunnel logic.

Changes:
- Add default ports for dict, imap, imaps, mqtt, mqtts, pop3, pop3s,
  smtp, smtps, and telnet in Url::port_or_default()
- Add CONNECT tunnel pre-check in do_single_request() for protocols
  that don't handle their own tunneling (e.g. gopher, dict, telnet,
  rtsp, ldap, smb, sftp, scp, mqtt, ws)
- Add is_http_proxy_tunnel() getter on Easy for CLI scheme validation
- Bypass early scheme validation in CLI when proxy tunnel is active
- Add gopher, rtsp, ldap, smb to the supported protocol list

Passes curl test 445 (Refuse tunneling protocols through HTTP proxy).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
fix(proxy): handle RTSP and FTPS proxy tunneling (curl test 445)
4690430 
- Add CONNECT tunnel handling for RTSP in the early dispatch path
  (RTSP bypasses do_single_request, so the generic tunnel code
  didn't run for it)
- Remove FTPS from the already_handles_tunnel exclusion list so the
  generic CONNECT tunnel code handles proxy rejection for FTPS URLs

All protocols now correctly attempt CONNECT tunnel when -p is active
with an HTTP proxy, matching curl's behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jonwiggins jonwiggins merged commit 3b1a326 into main Mar 28, 2026
7 checks passed
@jonwiggins jonwiggins mentioned this pull request Mar 28, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonwiggins