[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH for-1.4] block/curl: only restrict protocols with li
From: |
Stefan Hajnoczi |
Subject: |
[Qemu-devel] [PATCH for-1.4] block/curl: only restrict protocols with libcurl>=7.19.4 |
Date: |
Wed, 13 Feb 2013 09:25:34 +0100 |
The curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, ...) interface was
introduced in libcurl 7.19.4. Therefore we cannot protect against
CVE-2013-0249 when linking against an older libcurl.
This fixes the build failure introduced by
fb6d1bbd246c7a57ef53d3847ef225cd1349d602.
Reported-by: Andreas Färber <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
block/curl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/curl.c b/block/curl.c
index f6226b3..98947da 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -309,9 +309,13 @@ static CURLState *curl_init_state(BDRVCURLState *s)
/* Restrict supported protocols to avoid security issues in the more
* obscure protocols. For example, do not allow POP3/SMTP/IMAP see
* CVE-2013-0249.
+ *
+ * Restricting protocols is only supported from 7.19.4 upwards.
*/
+#if LIBCURL_VERSION_NUM >= 0x071304
curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS);
curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS);
+#endif
#ifdef DEBUG_VERBOSE
curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1);
--
1.8.1.2
- [Qemu-devel] [PATCH for-1.4] block/curl: only restrict protocols with libcurl>=7.19.4,
Stefan Hajnoczi <=