diff options
| author |  Inverle <inverle@proton.me>
| 2025-09-18 23:43:04 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-09-18 23:43:04 +0200 |
| commit | 055342118fd26d85b4be045f582fd1b8568bf6e4 (patch) | |
| tree | 8499f0fddb3a9d5d00939850f45b6070980b8c00 /app/Services | |
| parent | b5ee1d8936f64178b88eb289babafa020c24085d (diff) | |
Restrict allowed curl parameters (#7979)
For additional safety, also making sure in this PR that [`CURLOPT_COOKIEFILE`](https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html) is only allowed as an empty string during import.
Diffstat (limited to 'app/Services')
| -rw-r--r-- | app/Services/ImportService.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/app/Services/ImportService.php b/app/Services/ImportService.php index a2920dc74..e7af7589d 100644 --- a/app/Services/ImportService.php +++ b/app/Services/ImportService.php @@ -275,7 +275,8 @@ class FreshRSS_Import_Service { $curl_params[CURLOPT_COOKIE] = $feed_elt['frss:CURLOPT_COOKIE']; } if (isset($feed_elt['frss:CURLOPT_COOKIEFILE'])) { - $curl_params[CURLOPT_COOKIEFILE] = $feed_elt['frss:CURLOPT_COOKIEFILE']; + // Allow only an empty value just to enable the libcurl cookie engine + $curl_params[CURLOPT_COOKIEFILE] = ''; } if (isset($feed_elt['frss:CURLOPT_FOLLOWLOCATION'])) { $curl_params[CURLOPT_FOLLOWLOCATION] = (bool)$feed_elt['frss:CURLOPT_FOLLOWLOCATION']; |