diff options
| author | Nathan Gass | 2022-08-11 11:14:40 +0200 |
|---|---|---|
| committer | Nathan Gass | 2022-08-11 11:14:40 +0200 |
| commit | 0e2dd0ba5876028ac2cdaff8bc745837a2222593 (patch) | |
| tree | e01795d6cbc0610c3bb64a922f0050569bd86687 | |
| parent | 9270b33cfd64662a7762621f9ea720c50575c632 (diff) | |
| download | itools-0e2dd0ba5876028ac2cdaff8bc745837a2222593.tar.gz itools-0e2dd0ba5876028ac2cdaff8bc745837a2222593.tar.bz2 itools-0e2dd0ba5876028ac2cdaff8bc745837a2222593.zip | |
secure curl default config
| -rw-r--r-- | it_url.class | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/it_url.class b/it_url.class index 817630f..2664169 100644 --- a/it_url.class +++ b/it_url.class @@ -198,13 +198,13 @@ static function curl_opts($p=array()) $p += [ 'totaltimeout' => "999999", 'timeout' => 5, - 'followlocation' => true, - 'accept_encoding' => '', # set header to accept any supported encoding and enable automatic decompression + 'followlocation' => !$p['files'], # disallow redirects for file uploads as recommended by https://curl.se/libcurl/security.html + 'accept_encoding' => '', # set header to accept any supported encoding and enable automatic decompression ]; $add = []; foreach ($p['headers'] as $header => $value) - $headers[] = "$header: $value"; + $headers[] = strtr("$header: $value", "\n\r", ' '); # file upload foreach ((array)$p['files'] as $field => $filename) @@ -250,6 +250,7 @@ static function curl_opts($p=array()) CURLOPT_CUSTOMREQUEST => $p['method'] ?: null, CURLOPT_NOBODY => $p['method'] == 'HEAD', CURLOPT_SAFE_UPLOAD => true, # disable special meaning of @value in POST forms (security) + CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS, CURLOPT_CAPATH => '/etc/ssl/certs/', CURLOPT_SSL_VERIFYPEER => !$p['allow_insecure_ssl'], |