From 420ce9142825368043649eb83ae4ae118f56caee Mon Sep 17 00:00:00 2001 From: Kolja Lampe Date: Fri, 12 Jun 2026 14:53:27 +0200 Subject: [PATCH] http: Reset curl TLS options between transfers Previously the curl object potentially leaked cert infos from different urls --- common/flatpak-utils-http.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/flatpak-utils-http.c b/common/flatpak-utils-http.c index 9565d6eed..33a2a8502 100644 --- a/common/flatpak-utils-http.c +++ b/common/flatpak-utils-http.c @@ -627,6 +627,10 @@ flatpak_download_http_uri_once (FlatpakHttpSession *session, curl_easy_setopt (curl, CURLOPT_WRITEDATA, (void *)data); curl_easy_setopt (curl, CURLOPT_HEADERDATA, (void *)data); + curl_easy_setopt (curl, CURLOPT_CAINFO, NULL); + curl_easy_setopt (curl, CURLOPT_SSLCERT, NULL); + curl_easy_setopt (curl, CURLOPT_SSLKEY, NULL); + if (data->certificates) { if (data->certificates->ca_cert_file)