Only accept HTTP and HTTPS as protocol

We do not want to follow redirects to other protocols since they might allow an adversary to bypass network restrictions. (i.e. a redirect to ftp:// might be used to access files of a FTP server which might be in a secure zone and not be reachable from the net but from the ownCloud server) See owncloud/core#11032 for the change in ownCloud Fix unit test Add workaround for HHVM
sabre-io · Sep 11, 2014 · 59179fd · 59179fd
1 parent 3283847
commit 59179fd
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 20 deletions.
diff --git a/lib/Sabre/HTTP/Client.php b/lib/Sabre/HTTP/Client.php
@@ -422,6 +422,14 @@ protected function createCurlSettingsArray(RequestInterface $request) {
         }
         $settings[CURLOPT_HTTPHEADER] = $nHeaders;
         $settings[CURLOPT_URL] = $request->getUrl();
+        // FIXME: CURLOPT_PROTOCOLS is currently unsupported by HHVM
+        if(defined('CURLOPT_PROTOCOLS')) {
+            $settings[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+        }
+        // FIXME: CURLOPT_REDIR_PROTOCOLS is currently unsupported by HHVM
+        if(defined('CURLOPT_REDIR_PROTOCOLS')) {
+            $settings[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+        }
 
         return $settings;
 

diff --git a/tests/Sabre/HTTP/ClientTest.php b/tests/Sabre/HTTP/ClientTest.php
@@ -13,8 +13,7 @@ function testCreateCurlSettingsArrayGET() {
 
         $request = new Request('GET','http://example.org/', ['X-Foo' => 'bar']);
 
-        $this->assertEquals(
-            [
+        $settings = [
                 CURLOPT_RETURNTRANSFER => true,
                 CURLOPT_HEADER => true,
                 CURLOPT_POSTREDIR => 0,
@@ -23,9 +22,17 @@ function testCreateCurlSettingsArrayGET() {
                 CURLOPT_CUSTOMREQUEST => 'GET',
                 CURLOPT_POSTFIELDS => null,
                 CURLOPT_PUT => false,
-            ],
-            $client->createCurlSettingsArray($request)
-        );
+            ];
+
+        // FIXME: CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS are currently unsupported by HHVM
+        // at least if this unit test fails in the future we know it is :)
+        if(defined('HHVM_VERSION') === false) {
+            $settings[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+            $settings[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+        }
+
+
+        $this->assertEquals($settings, $client->createCurlSettingsArray($request));
 
     }
 
@@ -34,8 +41,8 @@ function testCreateCurlSettingsArrayHEAD() {
         $client = new ClientMock();
         $request = new Request('HEAD','http://example.org/', ['X-Foo' => 'bar']);
 
-        $this->assertEquals(
-            [
+
+        $settings = [
                 CURLOPT_RETURNTRANSFER => true,
                 CURLOPT_HEADER => true,
                 CURLOPT_NOBODY => true,
@@ -44,9 +51,16 @@ function testCreateCurlSettingsArrayHEAD() {
                 CURLOPT_URL => 'http://example.org/',
                 CURLOPT_POSTFIELDS => null,
                 CURLOPT_PUT => false,
-            ],
-            $client->createCurlSettingsArray($request)
-        );
+            ];
+
+        // FIXME: CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS are currently unsupported by HHVM
+        // at least if this unit test fails in the future we know it is :)
+        if(defined('HHVM_VERSION') === false) {
+            $settings[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+            $settings[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+        }
+
+        $this->assertEquals($settings, $client->createCurlSettingsArray($request));
 
     }
 
@@ -58,18 +72,24 @@ function testCreateCurlSettingsArrayPUTStream() {
         fwrite($h, 'booh');
         $request = new Request('PUT','http://example.org/', ['X-Foo' => 'bar'], $h);
 
-        $this->assertEquals(
-            [
+        $settings = [
                 CURLOPT_RETURNTRANSFER => true,
                 CURLOPT_HEADER => true,
                 CURLOPT_PUT => true,
                 CURLOPT_INFILE => $h,
                 CURLOPT_CUSTOMREQUEST => 'PUT',
                 CURLOPT_HTTPHEADER => ['X-Foo: bar'],
                 CURLOPT_URL => 'http://example.org/',
-            ],
-            $client->createCurlSettingsArray($request)
-        );
+            ];
+
+        // FIXME: CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS are currently unsupported by HHVM
+        // at least if this unit test fails in the future we know it is :)
+        if(defined('HHVM_VERSION') === false) {
+            $settings[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+            $settings[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+        }
+
+        $this->assertEquals($settings, $client->createCurlSettingsArray($request));
 
     }
 
@@ -78,17 +98,23 @@ function testCreateCurlSettingsArrayPUTString() {
         $client = new ClientMock();
         $request = new Request('PUT','http://example.org/', ['X-Foo' => 'bar'], 'boo');
 
-        $this->assertEquals(
-            [
+        $settings = [
                 CURLOPT_RETURNTRANSFER => true,
                 CURLOPT_HEADER => true,
                 CURLOPT_POSTFIELDS => 'boo',
                 CURLOPT_CUSTOMREQUEST => 'PUT',
                 CURLOPT_HTTPHEADER => ['X-Foo: bar'],
                 CURLOPT_URL => 'http://example.org/',
-            ],
-            $client->createCurlSettingsArray($request)
-        );
+            ];
+
+        // FIXME: CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS are currently unsupported by HHVM
+        // at least if this unit test fails in the future we know it is :)
+        if(defined('HHVM_VERSION') === false) {
+            $settings[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+            $settings[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+        }
+
+        $this->assertEquals($settings, $client->createCurlSettingsArray($request));
 
     }