Resolves: rhbz#918080 restrict redirection protocols

0002-rhbz-918080-restrict-the-set-of-protocols-for-curl.patch

@@ -0,0 +1,68 @@
+From 3c34544890e6fba5df3ddffd11a0533c96426cc6 Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Mon, 8 Apr 2013 20:18:19 +0200
+Subject: [PATCH 2/3] rhbz#918080 restrict the set of protocols for curl
+ (cherry picked from commit 6401443248d7ce9fad1b42bad291418d59f4a623)
+
+Conflicts:
+	src/libcmis/base-session.cxx
+	src/libcmis/base-session.hxx
+---
+ src/libcmis/base-session.cxx | 10 ++++++++++
+ src/libcmis/base-session.hxx |  1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/libcmis/base-session.cxx b/src/libcmis/base-session.cxx
+index b007a9d..9d08edc 100644
+--- a/src/libcmis/base-session.cxx
++++ b/src/libcmis/base-session.cxx
+@@ -123,6 +123,7 @@ BaseSession::BaseSession( string atomPubUrl, string repositoryId, string usernam
+ {
+     curl_global_init( CURL_GLOBAL_ALL );
+     m_curlHandle = curl_easy_init( );
++    initProtocols();
+ }
+ 
+ BaseSession::BaseSession( const BaseSession& copy ) :
+@@ -142,6 +143,7 @@ BaseSession::BaseSession( const BaseSession& copy ) :
+     // Not sure how sharing curl handles is safe.
+     curl_global_init( CURL_GLOBAL_ALL );
+     m_curlHandle = curl_easy_init( );
++    initProtocols();
+ }
+ 
+ BaseSession& BaseSession::operator=( const BaseSession& copy )
+@@ -161,6 +163,7 @@ BaseSession& BaseSession::operator=( const BaseSession& copy )
+     // Not sure how sharing curl handles is safe.
+     curl_global_init( CURL_GLOBAL_ALL );
+     m_curlHandle = curl_easy_init( );
++    initProtocols();
+ 
+     return *this;
+ }
+@@ -535,3 +538,10 @@ libcmis::Exception CurlException::getCmisException( ) const
+ 
+     return libcmis::Exception( msg, type );
+ }
++
++void BaseSession::initProtocols( )
++{
++    const unsigned long protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS;
++    curl_easy_setopt(m_curlHandle, CURLOPT_PROTOCOLS, protocols);
++    curl_easy_setopt(m_curlHandle, CURLOPT_REDIR_PROTOCOLS, protocols);
++}
+diff --git a/src/libcmis/base-session.hxx b/src/libcmis/base-session.hxx
+index 0b90c1f..6446a41 100644
+--- a/src/libcmis/base-session.hxx
++++ b/src/libcmis/base-session.hxx
+@@ -149,6 +149,7 @@ class BaseSession : public libcmis::Session
+         virtual void setAuthenticationProvider( libcmis::AuthProviderPtr provider ) { m_authProvider = provider; }
+     private:
+         void httpRunRequest( std::string url ) throw ( CurlException );
++        void initProtocols( );
+ };
+ 
+ #endif
+-- 
+1.8.1.4
+

0003-Init-protocols-should-be-done-right-after-resetting-.patch

@@ -0,0 +1,75 @@
+From 3ea92e49821638be039be7085659af160a6d4ebf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdo@users.sourceforge.net>
+Date: Mon, 22 Apr 2013 15:45:26 +0200
+Subject: [PATCH 3/3] Init protocols should be done right after resetting curl
+ handle (cherry picked from commit e75bd2548101b8681edf13ea085d62634b7668cf)
+
+Conflicts:
+	src/libcmis/base-session.cxx
+---
+ src/libcmis/base-session.cxx | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/libcmis/base-session.cxx b/src/libcmis/base-session.cxx
+index 9d08edc..478d0de 100644
+--- a/src/libcmis/base-session.cxx
++++ b/src/libcmis/base-session.cxx
+@@ -123,7 +123,6 @@ BaseSession::BaseSession( string atomPubUrl, string repositoryId, string usernam
+ {
+     curl_global_init( CURL_GLOBAL_ALL );
+     m_curlHandle = curl_easy_init( );
+-    initProtocols();
+ }
+ 
+ BaseSession::BaseSession( const BaseSession& copy ) :
+@@ -143,7 +142,6 @@ BaseSession::BaseSession( const BaseSession& copy ) :
+     // Not sure how sharing curl handles is safe.
+     curl_global_init( CURL_GLOBAL_ALL );
+     m_curlHandle = curl_easy_init( );
+-    initProtocols();
+ }
+ 
+ BaseSession& BaseSession::operator=( const BaseSession& copy )
+@@ -163,7 +161,6 @@ BaseSession& BaseSession::operator=( const BaseSession& copy )
+     // Not sure how sharing curl handles is safe.
+     curl_global_init( CURL_GLOBAL_ALL );
+     m_curlHandle = curl_easy_init( );
+-    initProtocols();
+ 
+     return *this;
+ }
+@@ -223,6 +220,7 @@ libcmis::HttpResponsePtr BaseSession::httpGetRequest( string url ) throw ( CurlE
+ {
+     // Reset the handle for the request
+     curl_easy_reset( m_curlHandle );
++    initProtocols( );
+ 
+     libcmis::HttpResponsePtr response( new libcmis::HttpResponse( ) );
+ 
+@@ -255,6 +253,7 @@ libcmis::HttpResponsePtr BaseSession::httpPutRequest( string url, istream& is, v
+ {
+     // Reset the handle for the request
+     curl_easy_reset( m_curlHandle );
++    initProtocols( );
+ 
+     libcmis::HttpResponsePtr response( new libcmis::HttpResponse( ) );
+ 
+@@ -320,6 +319,7 @@ libcmis::HttpResponsePtr BaseSession::httpPostRequest( string url, istringstream
+ {
+     // Reset the handle for the request
+     curl_easy_reset( m_curlHandle );
++    initProtocols( );
+ 
+     libcmis::HttpResponsePtr response( new libcmis::HttpResponse( ) );
+ 
+@@ -385,6 +385,7 @@ void BaseSession::httpDeleteRequest( string url ) throw ( CurlException )
+ {
+     // Reset the handle for the request
+     curl_easy_reset( m_curlHandle );
++    initProtocols( );
+ 
+     curl_easy_setopt( m_curlHandle, CURLOPT_CUSTOMREQUEST, "DELETE" );
+     httpRunRequest( url );
+-- 
+1.8.1.4
+

libcmis.spec

@@ -17,6 +17,8 @@ BuildRequires: xmlto
 
 Patch0: 0001-libcmis-c-handle-possible-bad-allocations.patch
 Patch1: 0001-rhbz-918079-always-return-40-hexa-digits.patch
+Patch2: 0002-rhbz-918080-restrict-the-set-of-protocols-for-curl.patch
+Patch3: 0003-Init-protocols-should-be-done-right-after-resetting-.patch
 
 %description
 LibCMIS is a C++ client library for the CMIS interface. This allows C++
@@ -45,6 +47,8 @@ command line.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 
 %build
@@ -90,6 +94,7 @@ rm -f %{buildroot}/%{_libdir}/*.la
 * Wed Apr 24 2013 David Tardon <dtardon@redhat.com> - 0.3.1-5
 - Resolves: rhbz#918079 libcmis::sha1() can return digests with fewer
   than 40 hexadecimal digits
+- Resolves: rhbz#918080 restrict redirection protocols
 
 * Mon Apr 08 2013 David Tardon <dtardon@redhat.com> - 0.3.1-4
 - Resolves: rhbz#918044 memory leaks on exception path in C wrapper