Restrict allowed curl parameters (#7979)

For additional safety, also making sure in this PR that [`CURLOPT_COOKIEFILE`](https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html) is only allowed as an empty string during import.
author: Inverle <inverle@proton.me> 2025-09-18 23:43:04 +0200
committer: GitHub <noreply@github.com> 2025-09-18 23:43:04 +0200
commit: 055342118fd26d85b4be045f582fd1b8568bf6e4 (patch)
tree: 8499f0fddb3a9d5d00939850f45b6070980b8c00 /app
parent: b5ee1d8936f64178b88eb289babafa020c24085d (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/app/Services/ImportService.php b/app/Services/ImportService.php
index a2920dc74..e7af7589d 100644
--- a/app/Services/ImportService.php
+++ b/app/Services/ImportService.php
@@ -275,7 +275,8 @@ class FreshRSS_Import_Service {
 				$curl_params[CURLOPT_COOKIE] = $feed_elt['frss:CURLOPT_COOKIE'];
 			}
 			if (isset($feed_elt['frss:CURLOPT_COOKIEFILE'])) {
-				$curl_params[CURLOPT_COOKIEFILE] = $feed_elt['frss:CURLOPT_COOKIEFILE'];
+				// Allow only an empty value just to enable the libcurl cookie engine
+				$curl_params[CURLOPT_COOKIEFILE] = '';
 			}
 			if (isset($feed_elt['frss:CURLOPT_FOLLOWLOCATION'])) {
 				$curl_params[CURLOPT_FOLLOWLOCATION] = (bool)$feed_elt['frss:CURLOPT_FOLLOWLOCATION'];
author	Inverle <inverle@proton.me>	2025-09-18 23:43:04 +0200
committer	GitHub <noreply@github.com>	2025-09-18 23:43:04 +0200
commit	055342118fd26d85b4be045f582fd1b8568bf6e4 (patch)
tree	8499f0fddb3a9d5d00939850f45b6070980b8c00 /app
parent	b5ee1d8936f64178b88eb289babafa020c24085d (diff)