From 0e2dd0ba5876028ac2cdaff8bc745837a2222593 Mon Sep 17 00:00:00 2001
From: Nathan Gass
Date: Thu, 11 Aug 2022 11:14:40 +0200
Subject: secure curl default config

---
 it_url.class | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/it_url.class b/it_url.class
index 817630f..2664169 100644
--- a/it_url.class
+++ b/it_url.class
@@ -198,13 +198,13 @@ static function curl_opts($p=array())
 	$p += [
 		'totaltimeout' => "999999",
 		'timeout' => 5,
-		'followlocation' => true,
-		'accept_encoding' => '', # set header to accept any supported encoding and enable automatic decompression
+		'followlocation' => !$p['files'], # disallow redirects for file uploads as recommended by https://curl.se/libcurl/security.html
+		'accept_encoding' => '',          # set header to accept any supported encoding and enable automatic decompression
 	];
 	$add = [];
 
 	foreach ($p['headers'] as $header => $value)
-		$headers[] = "$header: $value";
+		$headers[] = strtr("$header: $value", "\n\r", '  ');
 
 	# file upload
 	foreach ((array)$p['files'] as $field => $filename)
@@ -250,6 +250,7 @@ static function curl_opts($p=array())
 		CURLOPT_CUSTOMREQUEST => $p['method'] ?: null,
 		CURLOPT_NOBODY => $p['method'] == 'HEAD',
 		CURLOPT_SAFE_UPLOAD => true,	# disable special meaning of @value in POST forms (security)
+		CURLOPT_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
 
 		CURLOPT_CAPATH         => '/etc/ssl/certs/',
 		CURLOPT_SSL_VERIFYPEER => !$p['allow_insecure_ssl'],
-- 
cgit v1.2.3