Skip to content

Commit 697bab9

Browse files
gitstergitster
committed
Merge branch 'aw/validate-proxy-url-scheme' into seen
Misspelt proxy URL (e.g., httt://...) did not trigger any warning or failure, which has been corrected. * aw/validate-proxy-url-scheme: http: reject unsupported proxy URL schemes
2 parents 6fa2280 + 663d7ab commit 697bab9

2 files changed

Lines changed: 74 additions & 25 deletions

File tree

http.c

Lines changed: 68 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -761,6 +761,69 @@ static int has_proxy_cert_password(void)
761761
return 1;
762762
}
763763

764+
static const struct socks_proxy_type {
765+
const char *name;
766+
long curlsym;
767+
} socks_proxy_types[] = {
768+
{ "socks", CURLPROXY_SOCKS4 },
769+
{ "socks4", CURLPROXY_SOCKS4 },
770+
{ "socks4a", CURLPROXY_SOCKS4A },
771+
{ "socks5", CURLPROXY_SOCKS5 },
772+
{ "socks5h", CURLPROXY_SOCKS5_HOSTNAME },
773+
};
774+
775+
static const struct socks_proxy_type *find_socks_proxy_type(const char *protocol)
776+
{
777+
int i;
778+
779+
if (!protocol)
780+
return NULL;
781+
782+
for (i = 0; i < ARRAY_SIZE(socks_proxy_types); i++) {
783+
if (!strcmp(socks_proxy_types[i].name, protocol))
784+
return &socks_proxy_types[i];
785+
}
786+
787+
return NULL;
788+
}
789+
790+
static int is_socks_proxy_protocol(const char *protocol)
791+
{
792+
return !!find_socks_proxy_type(protocol);
793+
}
794+
795+
static int set_curl_proxy_type(CURL *result, const char *protocol)
796+
{
797+
const struct socks_proxy_type *socks_proxy_type;
798+
799+
if (!protocol || !strcmp(protocol, "http"))
800+
return 0;
801+
802+
socks_proxy_type = find_socks_proxy_type(protocol);
803+
if (socks_proxy_type) {
804+
curl_easy_setopt(result, CURLOPT_PROXYTYPE, socks_proxy_type->curlsym);
805+
return 0;
806+
}
807+
808+
if (!strcmp(protocol, "https")) {
809+
curl_easy_setopt(result, CURLOPT_PROXYTYPE, (long)CURLPROXY_HTTPS);
810+
811+
if (http_proxy_ssl_cert)
812+
curl_easy_setopt(result, CURLOPT_PROXY_SSLCERT,
813+
http_proxy_ssl_cert);
814+
815+
if (http_proxy_ssl_key)
816+
curl_easy_setopt(result, CURLOPT_PROXY_SSLKEY,
817+
http_proxy_ssl_key);
818+
819+
if (has_proxy_cert_password())
820+
curl_easy_setopt(result, CURLOPT_PROXY_KEYPASSWD,
821+
proxy_cert_auth.password);
822+
}
823+
824+
return -1;
825+
}
826+
764827
/* Return 1 if redactions have been made, 0 otherwise. */
765828
static int redact_sensitive_header(struct strbuf *header, size_t offset)
766829
{
@@ -1231,30 +1294,6 @@ static CURL *get_curl_handle(void)
12311294
} else if (curl_http_proxy) {
12321295
struct strbuf proxy = STRBUF_INIT;
12331296

1234-
if (starts_with(curl_http_proxy, "socks5h"))
1235-
curl_easy_setopt(result,
1236-
CURLOPT_PROXYTYPE, (long)CURLPROXY_SOCKS5_HOSTNAME);
1237-
else if (starts_with(curl_http_proxy, "socks5"))
1238-
curl_easy_setopt(result,
1239-
CURLOPT_PROXYTYPE, (long)CURLPROXY_SOCKS5);
1240-
else if (starts_with(curl_http_proxy, "socks4a"))
1241-
curl_easy_setopt(result,
1242-
CURLOPT_PROXYTYPE, (long)CURLPROXY_SOCKS4A);
1243-
else if (starts_with(curl_http_proxy, "socks"))
1244-
curl_easy_setopt(result,
1245-
CURLOPT_PROXYTYPE, (long)CURLPROXY_SOCKS4);
1246-
else if (starts_with(curl_http_proxy, "https")) {
1247-
curl_easy_setopt(result, CURLOPT_PROXYTYPE, (long)CURLPROXY_HTTPS);
1248-
1249-
if (http_proxy_ssl_cert)
1250-
curl_easy_setopt(result, CURLOPT_PROXY_SSLCERT, http_proxy_ssl_cert);
1251-
1252-
if (http_proxy_ssl_key)
1253-
curl_easy_setopt(result, CURLOPT_PROXY_SSLKEY, http_proxy_ssl_key);
1254-
1255-
if (has_proxy_cert_password())
1256-
curl_easy_setopt(result, CURLOPT_PROXY_KEYPASSWD, proxy_cert_auth.password);
1257-
}
12581297
if (strstr(curl_http_proxy, "://"))
12591298
credential_from_url(&proxy_auth, curl_http_proxy);
12601299
else {
@@ -1264,6 +1303,10 @@ static CURL *get_curl_handle(void)
12641303
strbuf_release(&url);
12651304
}
12661305

1306+
if (set_curl_proxy_type(result, proxy_auth.protocol) < 0)
1307+
die("Invalid proxy URL '%s': unsupported proxy scheme '%s'",
1308+
curl_http_proxy, proxy_auth.protocol);
1309+
12671310
if (!proxy_auth.host)
12681311
die("Invalid proxy URL '%s'", curl_http_proxy);
12691312

@@ -1274,7 +1317,7 @@ static CURL *get_curl_handle(void)
12741317
if (ver->version_num < 0x075400)
12751318
die("libcurl 7.84 or later is required to support paths in proxy URLs");
12761319

1277-
if (!starts_with(proxy_auth.protocol, "socks"))
1320+
if (!is_socks_proxy_protocol(proxy_auth.protocol))
12781321
die("Invalid proxy URL '%s': only SOCKS proxies support paths",
12791322
curl_http_proxy);
12801323

t/t5564-http-proxy.sh

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,4 +102,10 @@ test_expect_success 'Unix socket requires localhost' - <<\EOT
102102
}
103103
EOT
104104

105+
test_expect_success 'unknown proxy scheme is rejected' '
106+
test_must_fail git clone -c http.proxy=htpp://127.0.0.1 \
107+
https://example.com/repo.git 2>err &&
108+
test_grep "unsupported proxy scheme '\''htpp'\''" err
109+
'
110+
105111
test_done

0 commit comments

Comments
 (0)