On Thu, Dec 01, 2016 at 03:02:23PM -0800, Brandon Williams wrote:
> > diff --git a/http.c b/http.c
> > index 825118481..051fe6e5a 100644
> > --- a/http.c
> > +++ b/http.c
> > @@ -745,6 +745,7 @@ static CURL *get_curl_handle(void)
> > if (is_transport_allowed("ftps"))
> > allowed_protocols |= CURLPROTO_FTPS;
> > curl_easy_setopt(result, CURLOPT_REDIR_PROTOCOLS, allowed_protocols);
> > + curl_easy_setopt(result, CURLOPT_PROTOCOLS, allowed_protocols);
> > #else
> > if (transport_restrict_protocols())
> > warning("protocol restrictions not applied to curl redirects because\n"
>
> Because I don't know much about how curl works....Only
> http/https/ftp/ftps protocols are allowed to be passed to curl? Is that
> because curl only understands those particular protocols?
No, curl understands more protocols, and that is exactly the problem. We
don't want to accidentally have curl access file://, smtp://, or
similar, based on what some server puts in their http-alternates file.
You should only be able to get to this code-path by calling one of
git-remote-{http,https,ftp,ftps}. So there is no problem with
restricting the protocol beyond those options. And there should be no
problem with restricting within that set; if the protocol we intend to
feed to curl had been disallowed by policy, git would have blocked it
before hitting git-remote in the first place.
-Peff