[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-exchange] branch master updated: improve curl backwards compatibi
From: |
gnunet |
Subject: |
[taler-exchange] branch master updated: improve curl backwards compatibility, de-duplicate code |
Date: |
Mon, 08 Jan 2024 19:18:27 +0100 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository exchange.
The following commit(s) were added to refs/heads/master by this push:
new ef193efa improve curl backwards compatibility, de-duplicate code
ef193efa is described below
commit ef193efa2f1d6d3d111a082810b5ecc28947d16c
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Mon Jan 8 19:18:24 2024 +0100
improve curl backwards compatibility, de-duplicate code
---
src/curl/curl.c | 52 ++++++++++++++++++++++++++++++++++++
src/include/taler_curl_lib.h | 13 +++++++++
src/lib/auditor_api_curl_defaults.c | 24 +++--------------
src/lib/exchange_api_curl_defaults.c | 25 +++--------------
4 files changed, 71 insertions(+), 43 deletions(-)
diff --git a/src/curl/curl.c b/src/curl/curl.c
index caa0052f..61a1ca95 100644
--- a/src/curl/curl.c
+++ b/src/curl/curl.c
@@ -30,6 +30,58 @@
#endif
+void
+TALER_curl_set_secure_redirect_policy (CURL *eh,
+ const char *url)
+{
+ GNUNET_assert (CURLE_OK ==
+ curl_easy_setopt (eh,
+ CURLOPT_FOLLOWLOCATION,
+ 1L));
+ GNUNET_assert ( (0 == strncasecmp (url, ||
+ "https://",
+ strlen ("https://"))) ||
+ (0 == strncasecmp (url,
+ "https://",
+ strlen ("http://"))) );
+#ifdef CURLOPT_REDIR_PROTOCOLS_STR
+ if (0 == strncasecmp (url,
+ "https://",
+ strlen ("https://")))
+ GNUNET_assert (CURLE_OK ==
+ curl_easy_setopt (eh,
+ CURLOPT_REDIR_PROTOCOLS_STR,
+ "https"));
+ else
+ GNUNET_assert (CURLE_OK ==
+ curl_easy_setopt (eh,
+ CURLOPT_REDIR_PROTOCOLS_STR,
+ "http,https"));
+#else
+#ifdef CURLOPT_REDIR_PROTOCOLS
+ if (0 == strncasecmp (url,
+ "https://",
+ strlen ("https://")))
+ GNUNET_assert (CURLE_OK ==
+ curl_easy_setopt (eh,
+ CURLOPT_REDIR_PROTOCOLS,
+ CURLPROTO_HTTPS));
+ else
+ GNUNET_assert (CURLE_OK ==
+ curl_easy_setopt (eh,
+ CURLOPT_REDIR_PROTOCOLS,
+ CURLPROTO_HTTP | CURLPROTO_HTTPS));
+#endif
+#endif
+ /* limit MAXREDIRS to 5 as a simple security measure against
+ a potential infinite loop caused by a malicious target */
+ GNUNET_assert (CURLE_OK ==
+ curl_easy_setopt (eh,
+ CURLOPT_MAXREDIRS,
+ 5L));
+}
+
+
enum GNUNET_GenericReturnValue
TALER_curl_easy_post (struct TALER_CURL_PostContext *ctx,
CURL *eh,
diff --git a/src/include/taler_curl_lib.h b/src/include/taler_curl_lib.h
index 04dc20b9..f108e615 100644
--- a/src/include/taler_curl_lib.h
+++ b/src/include/taler_curl_lib.h
@@ -79,4 +79,17 @@ void
TALER_curl_easy_post_finished (struct TALER_CURL_PostContext *ctx);
+/**
+ * Set a secure redirection policy, allowing a limited
+ * number of redirects and only going from HTTP to HTTPS
+ * but not from HTTPS to HTTP.
+ *
+ * @param[in,out] eh easy handle to modify
+ * @param url URL to base the redirect policy on;
+ * must start with "http://" or "https://"
+ */
+void
+TALER_curl_set_secure_redirect_policy (CURL *eh,
+ const char *url);
+
#endif
diff --git a/src/lib/auditor_api_curl_defaults.c
b/src/lib/auditor_api_curl_defaults.c
index 1565dfde..a674f5fd 100644
--- a/src/lib/auditor_api_curl_defaults.c
+++ b/src/lib/auditor_api_curl_defaults.c
@@ -19,6 +19,7 @@
* @brief curl easy handle defaults
* @author Florian Dold
*/
+#include "taler_curl_lib.h"
#include "auditor_api_curl_defaults.h"
@@ -37,33 +38,14 @@ TALER_AUDITOR_curl_easy_get_ (const char *url)
curl_easy_setopt (eh,
CURLOPT_URL,
url));
- GNUNET_assert (CURLE_OK ==
- curl_easy_setopt (eh,
- CURLOPT_FOLLOWLOCATION,
- 1L));
- if (0 == strcasecmp (url,
- "https://"))
- GNUNET_assert (CURLE_OK ==
- curl_easy_setopt (eh,
- CURLOPT_REDIR_PROTOCOLS_STR,
- "https"));
- else
- GNUNET_assert (CURLE_OK ==
- curl_easy_setopt (eh,
- CURLOPT_REDIR_PROTOCOLS_STR,
- "http,https"));
+ TALER_curl_set_secure_redirect_policy (eh,
+ url);
/* Enable compression (using whatever curl likes), see
https://curl.se/libcurl/c/CURLOPT_ACCEPT_ENCODING.html */
GNUNET_break (CURLE_OK ==
curl_easy_setopt (eh,
CURLOPT_ACCEPT_ENCODING,
""));
- /* limit MAXREDIRS to 5 as a simple security measure against
- a potential infinite loop caused by a malicious target */
- GNUNET_assert (CURLE_OK ==
- curl_easy_setopt (eh,
- CURLOPT_MAXREDIRS,
- 5L));
GNUNET_assert (CURLE_OK ==
curl_easy_setopt (eh,
CURLOPT_TCP_FASTOPEN,
diff --git a/src/lib/exchange_api_curl_defaults.c
b/src/lib/exchange_api_curl_defaults.c
index 907b845b..68bc360f 100644
--- a/src/lib/exchange_api_curl_defaults.c
+++ b/src/lib/exchange_api_curl_defaults.c
@@ -19,7 +19,7 @@
* @brief curl easy handle defaults
* @author Florian Dold
*/
-
+#include "taler_curl_lib.h"
#include "exchange_api_curl_defaults.h"
@@ -38,33 +38,14 @@ TALER_EXCHANGE_curl_easy_get_ (const char *url)
curl_easy_setopt (eh,
CURLOPT_URL,
url));
- GNUNET_assert (CURLE_OK ==
- curl_easy_setopt (eh,
- CURLOPT_FOLLOWLOCATION,
- 1L));
- if (0 == strcasecmp (url,
- "https://"))
- GNUNET_assert (CURLE_OK ==
- curl_easy_setopt (eh,
- CURLOPT_REDIR_PROTOCOLS_STR,
- "https"));
- else
- GNUNET_assert (CURLE_OK ==
- curl_easy_setopt (eh,
- CURLOPT_REDIR_PROTOCOLS_STR,
- "http,https"));
+ TALER_curl_set_secure_redirect_policy (eh,
+ url);
/* Enable compression (using whatever curl likes), see
https://curl.se/libcurl/c/CURLOPT_ACCEPT_ENCODING.html */
GNUNET_break (CURLE_OK ==
curl_easy_setopt (eh,
CURLOPT_ACCEPT_ENCODING,
""));
- /* limit MAXREDIRS to 5 as a simple security measure against
- a potential infinite loop caused by a malicious target */
- GNUNET_assert (CURLE_OK ==
- curl_easy_setopt (eh,
- CURLOPT_MAXREDIRS,
- 5L));
GNUNET_assert (CURLE_OK ==
curl_easy_setopt (eh,
CURLOPT_TCP_FASTOPEN,
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [taler-exchange] branch master updated: improve curl backwards compatibility, de-duplicate code,
gnunet <=