Restrict allowed curl parameters (#7979)

For additional safety, also making sure in this PR that [`CURLOPT_COOKIEFILE`](https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html) is only allowed as an empty string during import.
author: Inverle <inverle@proton.me> 2025-09-18 23:43:04 +0200
committer: GitHub <noreply@github.com> 2025-09-18 23:43:04 +0200
commit: 055342118fd26d85b4be045f582fd1b8568bf6e4 (patch)
tree: 8499f0fddb3a9d5d00939850f45b6070980b8c00 /lib
parent: b5ee1d8936f64178b88eb289babafa020c24085d (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index b7c3817ee..532a9902a 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -319,8 +319,27 @@ function customSimplePie(array $attributes = [], array $curl_options = []): \Sim
 		}
 	}
 	if (!empty($attributes['curl_params']) && is_array($attributes['curl_params'])) {
+		$safe_params = [
+			CURLOPT_COOKIE,
+			CURLOPT_COOKIEFILE,
+			CURLOPT_FOLLOWLOCATION,
+			CURLOPT_HTTPHEADER,
+			CURLOPT_MAXREDIRS,
+			CURLOPT_POST,
+			CURLOPT_POSTFIELDS,
+			CURLOPT_PROXY,
+			CURLOPT_PROXYTYPE,
+			CURLOPT_USERAGENT,
+		];
 		foreach ($attributes['curl_params'] as $co => $v) {
 			if (is_int($co)) {
+				if (!in_array($co, $safe_params, true)) {
+					continue;
+				}
+				if ($co === CURLOPT_COOKIEFILE) {
+					// Allow only an empty value just to enable the libcurl cookie engine
+					$v = '';
+				}
 				$curl_options[$co] = $v;
 			}
 		}
author	Inverle <inverle@proton.me>	2025-09-18 23:43:04 +0200
committer	GitHub <noreply@github.com>	2025-09-18 23:43:04 +0200
commit	055342118fd26d85b4be045f582fd1b8568bf6e4 (patch)
tree	8499f0fddb3a9d5d00939850f45b6070980b8c00 /lib
parent	b5ee1d8936f64178b88eb289babafa020c24085d (diff)