lj2news: limit protocols to http(s)

Mitigation for http://blog.volema.com/curl-rce.html and hypothetical
analogous bugs discovered in the future.

diff --git a/CHANGES.html b/CHANGES.html
index f67eff5..dd94d42 100644 (file)
--- a/CHANGES.html
+++ b/CHANGES.html
@@ -29,6 +29,8 @@ pre { margin-left: 1em }
         more comprehensible error messages, particularly when using
         unreliable feeds.</li>
 
+        <li>Limit the protocols supported to HTTP and HTTPS.</li>
+
         <li>More verbose debug output.</li>
 
       </ul>

diff --git a/gateways/lj2news.c b/gateways/lj2news.c
index 4dac127..6291914 100644 (file)
--- a/gateways/lj2news.c
+++ b/gateways/lj2news.c
@@ -1,6 +1,6 @@
 /*
  * This file is part of rjk-nntp-tools.
- * Copyright (C) 2005, 2006, 2008, 2009, 2011, 2012 Richard Kettlewell
+ * Copyright (C) 2005, 2006, 2008, 2009, 2011-2013 Richard Kettlewell
  * Copyright (C) 2008 Colin Watson
  *
  * This program is free software; you can redistribute it and/or modify
@@ -663,6 +663,14 @@ Rarely used options:\n\
   if((cerr = curl_easy_setopt(curl, CURLOPT_TIMEOUT, (long)timeout)))
     fatal(0, "curl_easy_setopt CURLOPT_TIMEOUT: %s",
          curl_easy_strerror(cerr));
+  if((cerr = curl_easy_setopt(curl, CURLOPT_PROTOCOLS,
+                              CURLPROTO_HTTP|CURLPROTO_HTTPS)))
+    fatal(0, "curl_easy_setopt CURLOPT_PROTOCOLS: %s",
+         curl_easy_strerror(cerr));
+  if((cerr = curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS,
+                              CURLPROTO_HTTP|CURLPROTO_HTTPS)))
+    fatal(0, "curl_easy_setopt CURLOPT_REDIR_PROTOCOLS: %s",
+         curl_easy_strerror(cerr));
   if(pf != PF_UNSPEC) {
     if((cerr = curl_easy_setopt(curl, CURLOPT_IPRESOLVE,
                                 pf == AF_INET