diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2014-09-11 19:21:56 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2014-09-22 20:02:32 +0200 |
| commit | 6eeb905871fc7a671f99fd22c2592358a6abc02d (patch) | |
| tree | 391889ddb92d83a766a109cd7fc6bd58a4805691 /lib/private/user | |
| parent | 70937dabcdf60a047000347523bfee7a53e673e6 (diff) | |
| download | nextcloud-server-6eeb905871fc7a671f99fd22c2592358a6abc02d.tar.gz nextcloud-server-6eeb905871fc7a671f99fd22c2592358a6abc02d.zip | |
Do only follow HTTP and HTTPS redirects
We do not want to follow redirects to other protocols since they might allow an adversary to bypass network restrictions. (i.e. a redirect to ftp:// might be used to access files of a FTP server which might be in a secure zone and not be reachable from the net but from the ownCloud server)
Get final redirect manually using get_headers()
Migrate to HTTPHelper class and add unit tests
Diffstat (limited to 'lib/private/user')
| -rw-r--r-- | lib/private/user/http.php | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/private/user/http.php b/lib/private/user/http.php index 2bb8b4c864a..617e8adb3f2 100644 --- a/lib/private/user/http.php +++ b/lib/private/user/http.php @@ -72,6 +72,8 @@ class OC_User_HTTP extends OC_User_Backend { curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERPWD, $user.':'.$password); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + curl_setopt($ch, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); + curl_setopt($ch, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); curl_exec($ch); |