[taler-exchange] 12/12: limit redirects

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-exchange] 12/12: limit redirects

From:	gnunet
Subject:	[taler-exchange] 12/12: limit redirects
Date:	Sat, 29 Feb 2020 16:59:31 +0100

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository exchange.

commit cdc8c5b57bb5992b7afe5c9f36e5e286a930dff8
Author: Christian Grothoff <address@hidden>
AuthorDate: Sat Feb 29 16:54:58 2020 +0100

    limit redirects
---
 src/lib/exchange_api_curl_defaults.c    | 8 +++++++-
 src/lib/exchange_api_curl_defaults.h    | 2 +-
 src/lib/exchange_api_deposit.c          | 2 +-
 src/lib/exchange_api_deposits_get.c     | 2 +-
 src/lib/exchange_api_handle.c           | 2 +-
 src/lib/exchange_api_link.c             | 2 +-
 src/lib/exchange_api_melt.c             | 2 +-
 src/lib/exchange_api_recoup.c           | 2 +-
 src/lib/exchange_api_refreshes_reveal.c | 2 +-
 src/lib/exchange_api_refund.c           | 2 +-
 src/lib/exchange_api_reserves_get.c     | 2 +-
 src/lib/exchange_api_transfers_get.c    | 2 +-
 src/lib/exchange_api_wire.c             | 2 +-
 src/lib/exchange_api_withdraw.c         | 2 +-
 14 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/src/lib/exchange_api_curl_defaults.c 
b/src/lib/exchange_api_curl_defaults.c
index d1e84f95..26c1ac7d 100644
--- a/src/lib/exchange_api_curl_defaults.c
+++ b/src/lib/exchange_api_curl_defaults.c
@@ -30,7 +30,7 @@
  * @param url URL to query
  */
 CURL *
-TEL_curl_easy_get (const char *url)
+TALER_EXCHANGE_curl_easy_get_ (const char *url)
 {
   CURL *eh;
 
@@ -43,6 +43,12 @@ TEL_curl_easy_get (const char *url)
                  curl_easy_setopt (eh,
                                    CURLOPT_FOLLOWLOCATION,
                                    1L));
+  /* limit MAXREDIRS to 5 as a simple security measure against
+     a potential infinite loop caused by a malicious target */
+  GNUNET_assert (CURLE_OK ==
+                 curl_easy_setopt (eh,
+                                   CURLOPT_MAXREDIRS,
+                                   5L));
   GNUNET_assert (CURLE_OK ==
                  curl_easy_setopt (eh,
                                    CURLOPT_TCP_FASTOPEN,
diff --git a/src/lib/exchange_api_curl_defaults.h 
b/src/lib/exchange_api_curl_defaults.h
index 7ca1d2e3..009d72ab 100644
--- a/src/lib/exchange_api_curl_defaults.h
+++ b/src/lib/exchange_api_curl_defaults.h
@@ -36,6 +36,6 @@
  * @param url URL to query
  */
 CURL *
-TEL_curl_easy_get (const char *url);
+TALER_EXCHANGE_curl_easy_get_ (const char *url);
 
 #endif /* _TALER_CURL_DEFAULTS_H */
diff --git a/src/lib/exchange_api_deposit.c b/src/lib/exchange_api_deposit.c
index b1d0162f..24b9f6fe 100644
--- a/src/lib/exchange_api_deposit.c
+++ b/src/lib/exchange_api_deposit.c
@@ -626,7 +626,7 @@ TALER_EXCHANGE_deposit (struct TALER_EXCHANGE_Handle 
*exchange,
   dh->dki.key.rsa_public_key = NULL; /* lifetime not warranted, so better
                                         not copy the pointer */
 
-  eh = TEL_curl_easy_get (dh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (dh->url);
   if (GNUNET_OK !=
       TALER_curl_easy_post (&dh->ctx,
                             eh,
diff --git a/src/lib/exchange_api_deposits_get.c 
b/src/lib/exchange_api_deposits_get.c
index 1ffd738c..40d86401 100644
--- a/src/lib/exchange_api_deposits_get.c
+++ b/src/lib/exchange_api_deposits_get.c
@@ -366,7 +366,7 @@ TALER_EXCHANGE_deposits_get (struct TALER_EXCHANGE_Handle 
*exchange,
   dwh->depconf.h_contract_terms = *h_contract_terms;
   dwh->depconf.coin_pub = *coin_pub;
 
-  eh = TEL_curl_easy_get (dwh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (dwh->url);
   ctx = TEAH_handle_to_context (exchange);
   dwh->job = GNUNET_CURL_job_add (ctx,
                                   eh,
diff --git a/src/lib/exchange_api_handle.c b/src/lib/exchange_api_handle.c
index 6a88b703..5d9551c5 100644
--- a/src/lib/exchange_api_handle.c
+++ b/src/lib/exchange_api_handle.c
@@ -1953,7 +1953,7 @@ request_keys (void *cls)
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Requesting keys with URL `%s'.\n",
               kr->url);
-  eh = TEL_curl_easy_get (kr->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (kr->url);
   GNUNET_assert (CURLE_OK ==
                  curl_easy_setopt (eh,
                                    CURLOPT_VERBOSE,
diff --git a/src/lib/exchange_api_link.c b/src/lib/exchange_api_link.c
index 3204ca84..e659a41c 100644
--- a/src/lib/exchange_api_link.c
+++ b/src/lib/exchange_api_link.c
@@ -455,7 +455,7 @@ TALER_EXCHANGE_link (struct TALER_EXCHANGE_Handle *exchange,
   lh->coin_priv = *coin_priv;
   lh->url = TEAH_path_to_url (exchange,
                               arg_str);
-  eh = TEL_curl_easy_get (lh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (lh->url);
   ctx = TEAH_handle_to_context (exchange);
   lh->job = GNUNET_CURL_job_add (ctx,
                                  eh,
diff --git a/src/lib/exchange_api_melt.c b/src/lib/exchange_api_melt.c
index 9c85fa18..5a3abba8 100644
--- a/src/lib/exchange_api_melt.c
+++ b/src/lib/exchange_api_melt.c
@@ -456,7 +456,7 @@ TALER_EXCHANGE_melt (struct TALER_EXCHANGE_Handle *exchange,
   mh->md = md;
   mh->url = TEAH_path_to_url (exchange,
                               arg_str);
-  eh = TEL_curl_easy_get (mh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (mh->url);
   if (GNUNET_OK !=
       TALER_curl_easy_post (&mh->ctx,
                             eh,
diff --git a/src/lib/exchange_api_recoup.c b/src/lib/exchange_api_recoup.c
index a31d5b40..013d480b 100644
--- a/src/lib/exchange_api_recoup.c
+++ b/src/lib/exchange_api_recoup.c
@@ -389,7 +389,7 @@ TALER_EXCHANGE_recoup (struct TALER_EXCHANGE_Handle 
*exchange,
   ph->url = TEAH_path_to_url (exchange,
                               arg_str);
   ph->was_refreshed = was_refreshed;
-  eh = TEL_curl_easy_get (ph->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (ph->url);
   if (GNUNET_OK !=
       TALER_curl_easy_post (&ph->ctx,
                             eh,
diff --git a/src/lib/exchange_api_refreshes_reveal.c 
b/src/lib/exchange_api_refreshes_reveal.c
index 96aafbda..20e19673 100644
--- a/src/lib/exchange_api_refreshes_reveal.c
+++ b/src/lib/exchange_api_refreshes_reveal.c
@@ -461,7 +461,7 @@ TALER_EXCHANGE_refreshes_reveal (struct 
TALER_EXCHANGE_Handle *exchange,
   rrh->url = TEAH_path_to_url (rrh->exchange,
                                arg_str);
 
-  eh = TEL_curl_easy_get (rrh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (rrh->url);
   if (GNUNET_OK !=
       TALER_curl_easy_post (&rrh->ctx,
                             eh,
diff --git a/src/lib/exchange_api_refund.c b/src/lib/exchange_api_refund.c
index e986f102..8c50c80b 100644
--- a/src/lib/exchange_api_refund.c
+++ b/src/lib/exchange_api_refund.c
@@ -387,7 +387,7 @@ TALER_EXCHANGE_refund2 (struct TALER_EXCHANGE_Handle 
*exchange,
   TALER_amount_hton (&rh->depconf.refund_fee,
                      refund_fee);
 
-  eh = TEL_curl_easy_get (rh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (rh->url);
   if (GNUNET_OK !=
       TALER_curl_easy_post (&rh->ctx,
                             eh,
diff --git a/src/lib/exchange_api_reserves_get.c 
b/src/lib/exchange_api_reserves_get.c
index 62e28f05..37adace5 100644
--- a/src/lib/exchange_api_reserves_get.c
+++ b/src/lib/exchange_api_reserves_get.c
@@ -274,7 +274,7 @@ TALER_EXCHANGE_reserves_get (struct TALER_EXCHANGE_Handle 
*exchange,
   rgh->reserve_pub = *reserve_pub;
   rgh->url = TEAH_path_to_url (exchange,
                                arg_str);
-  eh = TEL_curl_easy_get (rgh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (rgh->url);
   ctx = TEAH_handle_to_context (exchange);
   rgh->job = GNUNET_CURL_job_add (ctx,
                                   eh,
diff --git a/src/lib/exchange_api_transfers_get.c 
b/src/lib/exchange_api_transfers_get.c
index 8ea8918c..25a1fea8 100644
--- a/src/lib/exchange_api_transfers_get.c
+++ b/src/lib/exchange_api_transfers_get.c
@@ -366,7 +366,7 @@ TALER_EXCHANGE_transfers_get (struct TALER_EXCHANGE_Handle 
*exchange,
   }
   wdh->url = TEAH_path_to_url (wdh->exchange,
                                arg_str);
-  eh = TEL_curl_easy_get (wdh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (wdh->url);
   ctx = TEAH_handle_to_context (exchange);
   wdh->job = GNUNET_CURL_job_add (ctx,
                                   eh,
diff --git a/src/lib/exchange_api_wire.c b/src/lib/exchange_api_wire.c
index 123f77e1..81b9f430 100644
--- a/src/lib/exchange_api_wire.c
+++ b/src/lib/exchange_api_wire.c
@@ -407,7 +407,7 @@ TALER_EXCHANGE_wire (struct TALER_EXCHANGE_Handle *exchange,
   wh->cb_cls = wire_cb_cls;
   wh->url = TEAH_path_to_url (exchange, "/wire");
 
-  eh = TEL_curl_easy_get (wh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (wh->url);
   ctx = TEAH_handle_to_context (exchange);
   wh->job = GNUNET_CURL_job_add (ctx,
                                  eh,
diff --git a/src/lib/exchange_api_withdraw.c b/src/lib/exchange_api_withdraw.c
index c6323537..e7be4153 100644
--- a/src/lib/exchange_api_withdraw.c
+++ b/src/lib/exchange_api_withdraw.c
@@ -426,7 +426,7 @@ reserve_withdraw_internal (struct TALER_EXCHANGE_Handle 
*exchange,
   wh->ps = *ps;
   wh->url = TEAH_path_to_url (exchange,
                               arg_str);
-  eh = TEL_curl_easy_get (wh->url);
+  eh = TALER_EXCHANGE_curl_easy_get_ (wh->url);
   if (GNUNET_OK !=
       TALER_curl_easy_post (&wh->ctx,
                             eh,

-- 
To stop receiving notification emails like this one, please contact
address@hidden.

[Prev in Thread]

Current Thread

[Next in Thread]

[taler-exchange] branch master updated (30b24448 -> cdc8c5b5), gnunet, 2020/02/29
- [taler-exchange] 04/12: fix shutdown logic if shutdown happens during startup, gnunet, 2020/02/29
- [taler-exchange] 03/12: fix uninitialized local, gnunet, 2020/02/29
- [taler-exchange] 09/12: nicer logging, gnunet, 2020/02/29
- [taler-exchange] 05/12: fix failure to remove rc from JSON, gnunet, 2020/02/29
- [taler-exchange] 06/12: more precise logging, gnunet, 2020/02/29
- [taler-exchange] 08/12: skip also here over part of URI that was already parsed, gnunet, 2020/02/29
- [taler-exchange] 07/12: proper generation of /refreshes/ requests, gnunet, 2020/02/29
- [taler-exchange] 02/12: updating libtalerexchange to new REST API (#6067), gnunet, 2020/02/29
- [taler-exchange] 10/12: rename fest, make symbols better match new endpoint names, gnunet, 2020/02/29
- [taler-exchange] 12/12: limit redirects, gnunet <=
- [taler-exchange] 01/12: phase 1 of #6067: update exchange HTTPD to new API style, gnunet, 2020/02/29
- [taler-exchange] 11/12: big rename fest related to #6067 API renaming, gnunet, 2020/02/29

Prev by Date: [taler-exchange] 10/12: rename fest, make symbols better match new endpoint names
Next by Date: [taler-exchange] 01/12: phase 1 of #6067: update exchange HTTPD to new API style
Previous by thread: [taler-exchange] 10/12: rename fest, make symbols better match new endpoint names
Next by thread: [taler-exchange] 01/12: phase 1 of #6067: update exchange HTTPD to new API style
Index(es):
- Date
- Thread