1
0
Ответвление 0
зеркало из https://github.com/curl/curl.git синхронизирован 2025-01-19 07:54:55 +00:00
curl/tests/server/disabled.c
Viktor Szakats 22652a5a4c
curl: add options for safe/no CA bundle search (Windows)
Add `CURL_CA_SEARCH_SAFE` build-time option to enable CA bundle search
in the `curl` tool directory. The lookup method was already used to find
`.curlrc` and `_curlrc` (on Windows). On Windows it overrides the unsafe
default `SearchPath()` method.

Enable with:
- cmake: `-DCURL_CA_SEARCH_SAFE=ON`
- autotools: `--enable-ca-search-safe`
- raw: `CPPFLAGS=-DCURL_CA_SEARCH_SAFE`

On Windows, before this patch the whole `PATH` was searched for
a CA bundle. `PATH` may contain unwanted or world-writable locations,
including the current directory. Searching them all is convenient to
pick up any CA bundle, but not secure.

The Muldersoft curl distro implements such CA search via a custom
patch for Windows:
cd652d4792/patch/curl_tool_doswin.diff (L50)

MSYS2/mingw-w64 distro has also been rolling a patch solving this:
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/0001-Make-cURL-relocatable.patch
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/pathtools.c

Also add option to fully disable Windows CA search:
- cmake: `-DCURL_DISABLE_CA_SEARCH=ON`
- autotools: `--disable-ca-search`
- raw: `CPPFLAGS=-DCURL_DISABLE_CA_SEARCH`.

Both options are considered EXPERIMENTAL, with possible incompatible
changes or even (partial) removal in the future, depending on feedback.

An alternative, secure option is to embed the CA bundle into the binary.

Safe search can be extended to other platforms if necessary or useful,
by using `_NSGetExecutablePath()` (macOS),
`/proc/self/exe` (Linux/Cygwin), or `argv[0]`.

Closes #14582
2024-09-22 18:17:25 +02:00

130 строки
3 КиБ
C

/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/*
* The purpose of this tool is to figure out which, if any, features that are
* disabled which should otherwise exist and work. These aren't visible in
* regular curl -V output.
*
* Disabled protocols are visible in curl_version_info() and are not included
* in this table.
*/
#include "curl_setup.h"
#include "multihandle.h" /* for ENABLE_WAKEUP */
#include "tool_xattr.h" /* for USE_XATTR */
#include "curl_sha512_256.h" /* for CURL_HAVE_SHA512_256 */
#include <stdio.h>
static const char *disabled[]={
#ifdef CURL_DISABLE_BINDLOCAL
"bindlocal",
#endif
#ifdef CURL_DISABLE_COOKIES
"cookies",
#endif
#ifdef CURL_DISABLE_BASIC_AUTH
"basic-auth",
#endif
#ifdef CURL_DISABLE_BEARER_AUTH
"bearer-auth",
#endif
#ifdef CURL_DISABLE_DIGEST_AUTH
"digest-auth",
#endif
#ifdef CURL_DISABLE_NEGOTIATE_AUTH
"negotiate-auth",
#endif
#ifdef CURL_DISABLE_AWS
"aws",
#endif
#ifdef CURL_DISABLE_DOH
"DoH",
#endif
#ifdef CURL_DISABLE_HTTP_AUTH
"HTTP-auth",
#endif
#ifdef CURL_DISABLE_MIME
"Mime",
#endif
#ifdef CURL_DISABLE_NETRC
"netrc",
#endif
#ifdef CURL_DISABLE_PARSEDATE
"parsedate",
#endif
#ifdef CURL_DISABLE_PROXY
"proxy",
#endif
#ifdef CURL_DISABLE_SHUFFLE_DNS
"shuffle-dns",
#endif
#ifdef CURL_DISABLE_TYPECHECK
"typecheck",
#endif
#ifdef CURL_DISABLE_VERBOSE_STRINGS
"verbose-strings",
#endif
#ifndef ENABLE_WAKEUP
"wakeup",
#endif
#ifdef CURL_DISABLE_HEADERS_API
"headers-api",
#endif
#ifndef USE_XATTR
"xattr",
#endif
#ifdef CURL_DISABLE_FORM_API
"form-api",
#endif
#if (SIZEOF_TIME_T < 5)
"large-time",
#endif
#ifndef CURL_HAVE_SHA512_256
"sha512-256",
#endif
#ifdef _WIN32
#if defined(CURL_WINDOWS_UWP) || \
defined(CURL_DISABLE_CA_SEARCH) || defined(CURL_CA_SEARCH_SAFE)
"win32-ca-searchpath",
#endif
#ifndef CURL_CA_SEARCH_SAFE
"win32-ca-search-safe",
#endif
#endif
NULL
};
int main(int argc, char **argv)
{
int i;
(void) argc;
(void) argv;
for(i = 0; disabled[i]; i++)
printf("%s\n", disabled[i]);
return 0;
}