gnunet-svn
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-exchange] branch master updated: improve curl backwards compatibi


From: gnunet
Subject: [taler-exchange] branch master updated: improve curl backwards compatibility, de-duplicate code
Date: Mon, 08 Jan 2024 19:18:27 +0100

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository exchange.

The following commit(s) were added to refs/heads/master by this push:
     new ef193efa improve curl backwards compatibility, de-duplicate code
ef193efa is described below

commit ef193efa2f1d6d3d111a082810b5ecc28947d16c
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Mon Jan 8 19:18:24 2024 +0100

    improve curl backwards compatibility, de-duplicate code
---
 src/curl/curl.c                      | 52 ++++++++++++++++++++++++++++++++++++
 src/include/taler_curl_lib.h         | 13 +++++++++
 src/lib/auditor_api_curl_defaults.c  | 24 +++--------------
 src/lib/exchange_api_curl_defaults.c | 25 +++--------------
 4 files changed, 71 insertions(+), 43 deletions(-)

diff --git a/src/curl/curl.c b/src/curl/curl.c
index caa0052f..61a1ca95 100644
--- a/src/curl/curl.c
+++ b/src/curl/curl.c
@@ -30,6 +30,58 @@
 #endif
 
 
+void
+TALER_curl_set_secure_redirect_policy (CURL *eh,
+                                       const char *url)
+{
+  GNUNET_assert (CURLE_OK ==
+                 curl_easy_setopt (eh,
+                                   CURLOPT_FOLLOWLOCATION,
+                                   1L));
+  GNUNET_assert ( (0 == strncasecmp (url, ||
+                                     "https://";,
+                                     strlen ("https://";))) ||
+                  (0 == strncasecmp (url,
+                                     "https://";,
+                                     strlen ("http://";))) );
+#ifdef CURLOPT_REDIR_PROTOCOLS_STR
+  if (0 == strncasecmp (url,
+                        "https://";,
+                        strlen ("https://";)))
+    GNUNET_assert (CURLE_OK ==
+                   curl_easy_setopt (eh,
+                                     CURLOPT_REDIR_PROTOCOLS_STR,
+                                     "https"));
+  else
+    GNUNET_assert (CURLE_OK ==
+                   curl_easy_setopt (eh,
+                                     CURLOPT_REDIR_PROTOCOLS_STR,
+                                     "http,https"));
+#else
+#ifdef CURLOPT_REDIR_PROTOCOLS
+  if (0 == strncasecmp (url,
+                        "https://";,
+                        strlen ("https://";)))
+    GNUNET_assert (CURLE_OK ==
+                   curl_easy_setopt (eh,
+                                     CURLOPT_REDIR_PROTOCOLS,
+                                     CURLPROTO_HTTPS));
+  else
+    GNUNET_assert (CURLE_OK ==
+                   curl_easy_setopt (eh,
+                                     CURLOPT_REDIR_PROTOCOLS,
+                                     CURLPROTO_HTTP | CURLPROTO_HTTPS));
+#endif
+#endif
+  /* limit MAXREDIRS to 5 as a simple security measure against
+     a potential infinite loop caused by a malicious target */
+  GNUNET_assert (CURLE_OK ==
+                 curl_easy_setopt (eh,
+                                   CURLOPT_MAXREDIRS,
+                                   5L));
+}
+
+
 enum GNUNET_GenericReturnValue
 TALER_curl_easy_post (struct TALER_CURL_PostContext *ctx,
                       CURL *eh,
diff --git a/src/include/taler_curl_lib.h b/src/include/taler_curl_lib.h
index 04dc20b9..f108e615 100644
--- a/src/include/taler_curl_lib.h
+++ b/src/include/taler_curl_lib.h
@@ -79,4 +79,17 @@ void
 TALER_curl_easy_post_finished (struct TALER_CURL_PostContext *ctx);
 
 
+/**
+ * Set a secure redirection policy, allowing a limited
+ * number of redirects and only going from HTTP to HTTPS
+ * but not from HTTPS to HTTP.
+ *
+ * @param[in,out] eh easy handle to modify
+ * @param url URL to base the redirect policy on;
+ *        must start with "http://"; or "https://";
+ */
+void
+TALER_curl_set_secure_redirect_policy (CURL *eh,
+                                       const char *url);
+
 #endif
diff --git a/src/lib/auditor_api_curl_defaults.c 
b/src/lib/auditor_api_curl_defaults.c
index 1565dfde..a674f5fd 100644
--- a/src/lib/auditor_api_curl_defaults.c
+++ b/src/lib/auditor_api_curl_defaults.c
@@ -19,6 +19,7 @@
  * @brief curl easy handle defaults
  * @author Florian Dold
  */
+#include "taler_curl_lib.h"
 #include "auditor_api_curl_defaults.h"
 
 
@@ -37,33 +38,14 @@ TALER_AUDITOR_curl_easy_get_ (const char *url)
                  curl_easy_setopt (eh,
                                    CURLOPT_URL,
                                    url));
-  GNUNET_assert (CURLE_OK ==
-                 curl_easy_setopt (eh,
-                                   CURLOPT_FOLLOWLOCATION,
-                                   1L));
-  if (0 == strcasecmp (url,
-                       "https://";))
-    GNUNET_assert (CURLE_OK ==
-                   curl_easy_setopt (eh,
-                                     CURLOPT_REDIR_PROTOCOLS_STR,
-                                     "https"));
-  else
-    GNUNET_assert (CURLE_OK ==
-                   curl_easy_setopt (eh,
-                                     CURLOPT_REDIR_PROTOCOLS_STR,
-                                     "http,https"));
+  TALER_curl_set_secure_redirect_policy (eh,
+                                         url);
   /* Enable compression (using whatever curl likes), see
      https://curl.se/libcurl/c/CURLOPT_ACCEPT_ENCODING.html  */
   GNUNET_break (CURLE_OK ==
                 curl_easy_setopt (eh,
                                   CURLOPT_ACCEPT_ENCODING,
                                   ""));
-  /* limit MAXREDIRS to 5 as a simple security measure against
-     a potential infinite loop caused by a malicious target */
-  GNUNET_assert (CURLE_OK ==
-                 curl_easy_setopt (eh,
-                                   CURLOPT_MAXREDIRS,
-                                   5L));
   GNUNET_assert (CURLE_OK ==
                  curl_easy_setopt (eh,
                                    CURLOPT_TCP_FASTOPEN,
diff --git a/src/lib/exchange_api_curl_defaults.c 
b/src/lib/exchange_api_curl_defaults.c
index 907b845b..68bc360f 100644
--- a/src/lib/exchange_api_curl_defaults.c
+++ b/src/lib/exchange_api_curl_defaults.c
@@ -19,7 +19,7 @@
  * @brief curl easy handle defaults
  * @author Florian Dold
  */
-
+#include "taler_curl_lib.h"
 #include "exchange_api_curl_defaults.h"
 
 
@@ -38,33 +38,14 @@ TALER_EXCHANGE_curl_easy_get_ (const char *url)
                  curl_easy_setopt (eh,
                                    CURLOPT_URL,
                                    url));
-  GNUNET_assert (CURLE_OK ==
-                 curl_easy_setopt (eh,
-                                   CURLOPT_FOLLOWLOCATION,
-                                   1L));
-  if (0 == strcasecmp (url,
-                       "https://";))
-    GNUNET_assert (CURLE_OK ==
-                   curl_easy_setopt (eh,
-                                     CURLOPT_REDIR_PROTOCOLS_STR,
-                                     "https"));
-  else
-    GNUNET_assert (CURLE_OK ==
-                   curl_easy_setopt (eh,
-                                     CURLOPT_REDIR_PROTOCOLS_STR,
-                                     "http,https"));
+  TALER_curl_set_secure_redirect_policy (eh,
+                                         url);
   /* Enable compression (using whatever curl likes), see
      https://curl.se/libcurl/c/CURLOPT_ACCEPT_ENCODING.html  */
   GNUNET_break (CURLE_OK ==
                 curl_easy_setopt (eh,
                                   CURLOPT_ACCEPT_ENCODING,
                                   ""));
-  /* limit MAXREDIRS to 5 as a simple security measure against
-     a potential infinite loop caused by a malicious target */
-  GNUNET_assert (CURLE_OK ==
-                 curl_easy_setopt (eh,
-                                   CURLOPT_MAXREDIRS,
-                                   5L));
   GNUNET_assert (CURLE_OK ==
                  curl_easy_setopt (eh,
                                    CURLOPT_TCP_FASTOPEN,

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]