diff --git a/0002-rhbz-918080-restrict-the-set-of-protocols-for-curl.patch b/0002-rhbz-918080-restrict-the-set-of-protocols-for-curl.patch new file mode 100644 index 0000000..4127faf --- /dev/null +++ b/0002-rhbz-918080-restrict-the-set-of-protocols-for-curl.patch @@ -0,0 +1,68 @@ +From 3c34544890e6fba5df3ddffd11a0533c96426cc6 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 8 Apr 2013 20:18:19 +0200 +Subject: [PATCH 2/3] rhbz#918080 restrict the set of protocols for curl + (cherry picked from commit 6401443248d7ce9fad1b42bad291418d59f4a623) + +Conflicts: + src/libcmis/base-session.cxx + src/libcmis/base-session.hxx +--- + src/libcmis/base-session.cxx | 10 ++++++++++ + src/libcmis/base-session.hxx | 1 + + 2 files changed, 11 insertions(+) + +diff --git a/src/libcmis/base-session.cxx b/src/libcmis/base-session.cxx +index b007a9d..9d08edc 100644 +--- a/src/libcmis/base-session.cxx ++++ b/src/libcmis/base-session.cxx +@@ -123,6 +123,7 @@ BaseSession::BaseSession( string atomPubUrl, string repositoryId, string usernam + { + curl_global_init( CURL_GLOBAL_ALL ); + m_curlHandle = curl_easy_init( ); ++ initProtocols(); + } + + BaseSession::BaseSession( const BaseSession& copy ) : +@@ -142,6 +143,7 @@ BaseSession::BaseSession( const BaseSession& copy ) : + // Not sure how sharing curl handles is safe. + curl_global_init( CURL_GLOBAL_ALL ); + m_curlHandle = curl_easy_init( ); ++ initProtocols(); + } + + BaseSession& BaseSession::operator=( const BaseSession& copy ) +@@ -161,6 +163,7 @@ BaseSession& BaseSession::operator=( const BaseSession& copy ) + // Not sure how sharing curl handles is safe. + curl_global_init( CURL_GLOBAL_ALL ); + m_curlHandle = curl_easy_init( ); ++ initProtocols(); + + return *this; + } +@@ -535,3 +538,10 @@ libcmis::Exception CurlException::getCmisException( ) const + + return libcmis::Exception( msg, type ); + } ++ ++void BaseSession::initProtocols( ) ++{ ++ const unsigned long protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS; ++ curl_easy_setopt(m_curlHandle, CURLOPT_PROTOCOLS, protocols); ++ curl_easy_setopt(m_curlHandle, CURLOPT_REDIR_PROTOCOLS, protocols); ++} +diff --git a/src/libcmis/base-session.hxx b/src/libcmis/base-session.hxx +index 0b90c1f..6446a41 100644 +--- a/src/libcmis/base-session.hxx ++++ b/src/libcmis/base-session.hxx +@@ -149,6 +149,7 @@ class BaseSession : public libcmis::Session + virtual void setAuthenticationProvider( libcmis::AuthProviderPtr provider ) { m_authProvider = provider; } + private: + void httpRunRequest( std::string url ) throw ( CurlException ); ++ void initProtocols( ); + }; + + #endif +-- +1.8.1.4 + diff --git a/0003-Init-protocols-should-be-done-right-after-resetting-.patch b/0003-Init-protocols-should-be-done-right-after-resetting-.patch new file mode 100644 index 0000000..3f8023b --- /dev/null +++ b/0003-Init-protocols-should-be-done-right-after-resetting-.patch @@ -0,0 +1,75 @@ +From 3ea92e49821638be039be7085659af160a6d4ebf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= +Date: Mon, 22 Apr 2013 15:45:26 +0200 +Subject: [PATCH 3/3] Init protocols should be done right after resetting curl + handle (cherry picked from commit e75bd2548101b8681edf13ea085d62634b7668cf) + +Conflicts: + src/libcmis/base-session.cxx +--- + src/libcmis/base-session.cxx | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/libcmis/base-session.cxx b/src/libcmis/base-session.cxx +index 9d08edc..478d0de 100644 +--- a/src/libcmis/base-session.cxx ++++ b/src/libcmis/base-session.cxx +@@ -123,7 +123,6 @@ BaseSession::BaseSession( string atomPubUrl, string repositoryId, string usernam + { + curl_global_init( CURL_GLOBAL_ALL ); + m_curlHandle = curl_easy_init( ); +- initProtocols(); + } + + BaseSession::BaseSession( const BaseSession& copy ) : +@@ -143,7 +142,6 @@ BaseSession::BaseSession( const BaseSession& copy ) : + // Not sure how sharing curl handles is safe. + curl_global_init( CURL_GLOBAL_ALL ); + m_curlHandle = curl_easy_init( ); +- initProtocols(); + } + + BaseSession& BaseSession::operator=( const BaseSession& copy ) +@@ -163,7 +161,6 @@ BaseSession& BaseSession::operator=( const BaseSession& copy ) + // Not sure how sharing curl handles is safe. + curl_global_init( CURL_GLOBAL_ALL ); + m_curlHandle = curl_easy_init( ); +- initProtocols(); + + return *this; + } +@@ -223,6 +220,7 @@ libcmis::HttpResponsePtr BaseSession::httpGetRequest( string url ) throw ( CurlE + { + // Reset the handle for the request + curl_easy_reset( m_curlHandle ); ++ initProtocols( ); + + libcmis::HttpResponsePtr response( new libcmis::HttpResponse( ) ); + +@@ -255,6 +253,7 @@ libcmis::HttpResponsePtr BaseSession::httpPutRequest( string url, istream& is, v + { + // Reset the handle for the request + curl_easy_reset( m_curlHandle ); ++ initProtocols( ); + + libcmis::HttpResponsePtr response( new libcmis::HttpResponse( ) ); + +@@ -320,6 +319,7 @@ libcmis::HttpResponsePtr BaseSession::httpPostRequest( string url, istringstream + { + // Reset the handle for the request + curl_easy_reset( m_curlHandle ); ++ initProtocols( ); + + libcmis::HttpResponsePtr response( new libcmis::HttpResponse( ) ); + +@@ -385,6 +385,7 @@ void BaseSession::httpDeleteRequest( string url ) throw ( CurlException ) + { + // Reset the handle for the request + curl_easy_reset( m_curlHandle ); ++ initProtocols( ); + + curl_easy_setopt( m_curlHandle, CURLOPT_CUSTOMREQUEST, "DELETE" ); + httpRunRequest( url ); +-- +1.8.1.4 + diff --git a/libcmis.spec b/libcmis.spec index 390a9d5..1867891 100644 --- a/libcmis.spec +++ b/libcmis.spec @@ -17,6 +17,8 @@ BuildRequires: xmlto Patch0: 0001-libcmis-c-handle-possible-bad-allocations.patch Patch1: 0001-rhbz-918079-always-return-40-hexa-digits.patch +Patch2: 0002-rhbz-918080-restrict-the-set-of-protocols-for-curl.patch +Patch3: 0003-Init-protocols-should-be-done-right-after-resetting-.patch %description LibCMIS is a C++ client library for the CMIS interface. This allows C++ @@ -45,6 +47,8 @@ command line. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build @@ -90,6 +94,7 @@ rm -f %{buildroot}/%{_libdir}/*.la * Wed Apr 24 2013 David Tardon - 0.3.1-5 - Resolves: rhbz#918079 libcmis::sha1() can return digests with fewer than 40 hexadecimal digits +- Resolves: rhbz#918080 restrict redirection protocols * Mon Apr 08 2013 David Tardon - 0.3.1-4 - Resolves: rhbz#918044 memory leaks on exception path in C wrapper