From 497d6a7afb588e30bbf4e525bf28f5e78295bd6b Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 22 Apr 2026 22:27:17 +0200 Subject: [PATCH] Limit cURL to protocols HTTP, HTTPS (#8713) --- app/Controllers/updateController.php | 18 ++++++++++++++++++ app/Models/Feed.php | 18 ++++++++++++++++++ app/Models/SimplePieCustom.php | 14 ++++++++++++++ app/Utils/httpUtil.php | 15 +++++++++++++++ 4 files changed, 65 insertions(+) diff --git a/app/Controllers/updateController.php b/app/Controllers/updateController.php index 9a1fd0fb9..051303047 100644 --- a/app/Controllers/updateController.php +++ b/app/Controllers/updateController.php @@ -229,6 +229,24 @@ class FreshRSS_update_Controller extends FreshRSS_ActionController { curl_setopt($curlResource, CURLOPT_RETURNTRANSFER, true); curl_setopt($curlResource, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($curlResource, CURLOPT_SSL_VERIFYHOST, 2); + + $curl_options = []; + if (defined('CURLOPT_PROTOCOLS_STR')) { + $curl_options[CURLOPT_PROTOCOLS_STR] = 'http,https'; + if (defined('CURLOPT_REDIR_PROTOCOLS_STR')) { + $curl_options[CURLOPT_REDIR_PROTOCOLS_STR] = 'http,https'; + } + } elseif (defined('CURLPROTO_HTTP') && defined('CURLPROTO_HTTPS')) { + // Legacy PHP 8.2- + if (defined('CURLOPT_PROTOCOLS')) { + $curl_options[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS; + } + if (defined('CURLOPT_REDIR_PROTOCOLS')) { + $curl_options[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS; + } + } + curl_setopt_array($curlResource, $curl_options); + $result = curl_exec($curlResource); $curlGetinfo = curl_getinfo($curlResource, CURLINFO_HTTP_CODE); $curlError = curl_error($curlResource); diff --git a/app/Models/Feed.php b/app/Models/Feed.php index 34f90e728..e10bd2c40 100644 --- a/app/Models/Feed.php +++ b/app/Models/Feed.php @@ -1455,6 +1455,24 @@ class FreshRSS_Feed extends Minz_Model { CURLOPT_ACCEPT_ENCODING => '', //Enable all encodings //CURLOPT_VERBOSE => 1, // To debug sent HTTP headers ]); + + $curl_options = []; + if (defined('CURLOPT_PROTOCOLS_STR')) { + $curl_options[CURLOPT_PROTOCOLS_STR] = 'http,https'; + if (defined('CURLOPT_REDIR_PROTOCOLS_STR')) { + $curl_options[CURLOPT_REDIR_PROTOCOLS_STR] = 'http,https'; + } + } elseif (defined('CURLPROTO_HTTP') && defined('CURLPROTO_HTTPS')) { + // Legacy PHP 8.2- + if (defined('CURLOPT_PROTOCOLS')) { + $curl_options[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS; + } + if (defined('CURLOPT_REDIR_PROTOCOLS')) { + $curl_options[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS; + } + } + curl_setopt_array($ch, $curl_options); + $response = curl_exec($ch); $info = curl_getinfo($ch); if (!is_array($info)) { diff --git a/app/Models/SimplePieCustom.php b/app/Models/SimplePieCustom.php index 41d8f8eee..af2b05714 100644 --- a/app/Models/SimplePieCustom.php +++ b/app/Models/SimplePieCustom.php @@ -44,6 +44,20 @@ final class FreshRSS_SimplePieCustom extends \SimplePie\SimplePie unset($curl_options[CURLOPT_PROXY]); } } + if (defined('CURLOPT_PROTOCOLS_STR')) { + $curl_options[CURLOPT_PROTOCOLS_STR] = 'http,https'; + if (defined('CURLOPT_REDIR_PROTOCOLS_STR')) { + $curl_options[CURLOPT_REDIR_PROTOCOLS_STR] = 'http,https'; + } + } elseif (defined('CURLPROTO_HTTP') && defined('CURLPROTO_HTTPS')) { + // Legacy PHP 8.2- + if (defined('CURLOPT_PROTOCOLS')) { + $curl_options[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS; + } + if (defined('CURLOPT_REDIR_PROTOCOLS')) { + $curl_options[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS; + } + } $this->set_curl_options($curl_options); $this->strip_comments(true); diff --git a/app/Utils/httpUtil.php b/app/Utils/httpUtil.php index 47812ecf7..9a66c7fcf 100644 --- a/app/Utils/httpUtil.php +++ b/app/Utils/httpUtil.php @@ -369,6 +369,21 @@ final class FreshRSS_http_Util { } } + if (defined('CURLOPT_PROTOCOLS_STR')) { + $curl_options[CURLOPT_PROTOCOLS_STR] = 'http,https'; + if (defined('CURLOPT_REDIR_PROTOCOLS_STR')) { + $curl_options[CURLOPT_REDIR_PROTOCOLS_STR] = 'http,https'; + } + } elseif (defined('CURLPROTO_HTTP') && defined('CURLPROTO_HTTPS')) { + // Legacy PHP 8.2- + if (defined('CURLOPT_PROTOCOLS')) { + $curl_options[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS; + } + if (defined('CURLOPT_REDIR_PROTOCOLS')) { + $curl_options[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS; + } + } + curl_setopt_array($ch, $curl_options); $body = curl_exec($ch);