From 055342118fd26d85b4be045f582fd1b8568bf6e4 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Thu, 18 Sep 2025 23:43:04 +0200
Subject: Restrict allowed curl parameters (#7979)

For additional safety, also making sure in this PR that [`CURLOPT_COOKIEFILE`](https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html) is only allowed as an empty string during import.
---
 app/Services/ImportService.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'app/Services')

diff --git a/app/Services/ImportService.php b/app/Services/ImportService.php
index a2920dc74..e7af7589d 100644
--- a/app/Services/ImportService.php
+++ b/app/Services/ImportService.php
@@ -275,7 +275,8 @@ class FreshRSS_Import_Service {
 				$curl_params[CURLOPT_COOKIE] = $feed_elt['frss:CURLOPT_COOKIE'];
 			}
 			if (isset($feed_elt['frss:CURLOPT_COOKIEFILE'])) {
-				$curl_params[CURLOPT_COOKIEFILE] = $feed_elt['frss:CURLOPT_COOKIEFILE'];
+				// Allow only an empty value just to enable the libcurl cookie engine
+				$curl_params[CURLOPT_COOKIEFILE] = '';
 			}
 			if (isset($feed_elt['frss:CURLOPT_FOLLOWLOCATION'])) {
 				$curl_params[CURLOPT_FOLLOWLOCATION] = (bool)$feed_elt['frss:CURLOPT_FOLLOWLOCATION'];
-- 
cgit v1.2.3