Add `CURL_CA_SEARCH_SAFE` build-time option to enable CA bundle search
in the `curl` tool directory. The lookup method was already used to find
`.curlrc` and `_curlrc` (on Windows). On Windows it overrides the unsafe
default `SearchPath()` method.
Enable with:
- cmake: `-DCURL_CA_SEARCH_SAFE=ON`
- autotools: `--enable-ca-search-safe`
- raw: `CPPFLAGS=-DCURL_CA_SEARCH_SAFE`
On Windows, before this patch the whole `PATH` was searched for
a CA bundle. `PATH` may contain unwanted or world-writable locations,
including the current directory. Searching them all is convenient to
pick up any CA bundle, but not secure.
The Muldersoft curl distro implements such CA search via a custom
patch for Windows:
https://github.com/lordmulder/cURL-build-win32/blob/
cd652d4792c177c98b08b4309d3cac2b8dbbf9b0/patch/curl_tool_doswin.diff#L50
MSYS2/mingw-w64 distro has also been rolling a patch solving this:
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/0001-Make-cURL-relocatable.patch
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/pathtools.c
Also add option to fully disable Windows CA search:
- cmake: `-DCURL_DISABLE_CA_SEARCH=ON`
- autotools: `--disable-ca-search`
- raw: `CPPFLAGS=-DCURL_DISABLE_CA_SEARCH`.
Both options are considered EXPERIMENTAL, with possible incompatible
changes or even (partial) removal in the future, depending on feedback.
An alternative, secure option is to embed the CA bundle into the binary.
Safe search can be extended to other platforms if necessary or useful,
by using `_NSGetExecutablePath()` (macOS),
`/proc/self/exe` (Linux/Cygwin), or `argv[0]`.
Closes #14582
plat: 'windows'
type: 'Debug'
tflags: '~1516 ~2301 ~2302 ~2303 ~2307'
- config: '-DENABLE_DEBUG=ON -DENABLE_UNICODE=OFF -DCURL_USE_SCHANNEL=OFF -DCURL_BROTLI=ON -DCURL_ZSTD=ON -DBUILD_SHARED_LIBS=OFF -DCURL_USE_LIBSSH2=ON -DCURL_USE_OPENSSL=ON'
+ config: '-DENABLE_DEBUG=ON -DENABLE_UNICODE=OFF -DCURL_USE_SCHANNEL=OFF -DCURL_BROTLI=ON -DCURL_ZSTD=ON -DBUILD_SHARED_LIBS=OFF -DCURL_USE_LIBSSH2=ON -DCURL_USE_OPENSSL=ON -DCURL_CA_SEARCH_SAFE=ON'
- name: 'boringssl-ECH'
install: 'brotli zlib zstd libpsl nghttp2 boringssl libssh2[core,zlib]'
arch: 'x64'
endif()
endif()
+if(WIN32)
+ option(CURL_DISABLE_CA_SEARCH "Disable unsafe CA bundle search in PATH on Windows" OFF)
+ option(CURL_CA_SEARCH_SAFE "Enable safe CA bundle search (within the curl tool directory) on Windows" OFF)
+endif()
+
# Check for header files
if(WIN32)
set(CURL_INCLUDES ${CURL_INCLUDES} "winsock2.h")
AM_CONDITIONAL(CURL_CA_EMBED_SET, test "x$CURL_CA_EMBED" != "x")
+dnl ----------------------
+dnl check unsafe CA search
+dnl ----------------------
+
+if test "$curl_cv_native_windows" = "yes"; then
+ AC_MSG_CHECKING([whether to enable unsafe CA bundle search in PATH on Windows])
+ AC_ARG_ENABLE(ca-search,
+AS_HELP_STRING([--enable-ca-search],[Enable unsafe CA bundle search in PATH on Windows (default)])
+AS_HELP_STRING([--disable-ca-search],[Disable unsafe CA bundle search in PATH on Windows]),
+ [ case "$enableval" in
+ no)
+ AC_MSG_RESULT([no])
+ AC_DEFINE(CURL_DISABLE_CA_SEARCH, 1, [If unsafe CA bundle search in PATH on Windows is disabled])
+ ;;
+ *)
+ AC_MSG_RESULT([yes])
+ ;;
+ esac ],
+ AC_MSG_RESULT([yes])
+ )
+fi
+
+dnl --------------------
+dnl check safe CA search
+dnl --------------------
+
+if test "$curl_cv_native_windows" = "yes"; then
+ AC_MSG_CHECKING([whether to enable safe CA bundle search (within the curl tool directory) on Windows])
+ AC_ARG_ENABLE(ca-search-safe,
+AS_HELP_STRING([--enable-ca-search-safe],[Enable safe CA bundle search])
+AS_HELP_STRING([--disable-ca-search-safe],[Disable safe CA bundle search (default)]),
+ [ case "$enableval" in
+ yes)
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(CURL_CA_SEARCH_SAFE, 1, [If safe CA bundle search is enabled])
+ ;;
+ *)
+ AC_MSG_RESULT([no])
+ ;;
+ esac ],
+ AC_MSG_RESULT([no])
+ )
+fi
+
dnl **********************************************************************
dnl Check for libpsl
dnl **********************************************************************
Disable **AWS-SIG4** support.
+## `CURL_DISABLE_CA_SEARCH`
+
+Disable unsafe CA bundle search in PATH on Windows.
+
## `CURL_DISABLE_DICT`
Disable the DICT protocol
4. Windows Directory (e.g. C:\Windows)
5. all directories along %PATH%
+curl 8.11.0 added a build-time option to disable this search behavior, and
+another option to restrict search to the application's directory.
+
### Use the native store
In several environments, in particular on Windows, you can ask curl to use the
and the TLS backend is not Schannel, and uses the given path as a path to a CA
cert bundle. This option overrides that variable.
-The Windows version of curl automatically looks for a CA certs file named
+(Windows) curl automatically looks for a CA certs file named
'curl-ca-bundle.crt', either in the same directory as curl.exe, or in the
Current Working Directory, or in any folder along your PATH.
+curl 8.11.0 added a build-time option to disable this search behavior, and
+another option to restrict search to the application's directory.
+
(iOS and macOS only) If curl is built against Secure Transport, then this
option is supported for backward compatibility with other SSL engines, but it
should not be set. If the option is not set, then curl uses the certificates
/* disables verbose strings */
#cmakedefine CURL_DISABLE_VERBOSE_STRINGS 1
+/* disables unsafe CA bundle search on Windows from the curl tool */
+#cmakedefine CURL_DISABLE_CA_SEARCH 1
+
+/* safe CA bundle search (within the curl tool directory) on Windows */
+#cmakedefine CURL_CA_SEARCH_SAFE 1
+
/* to make a symbol visible */
#cmakedefine CURL_EXTERN_SYMBOL ${CURL_EXTERN_SYMBOL}
/* Ensure using CURL_EXTERN_SYMBOL is possible */
#ifdef _WIN32
+#if !defined(CURL_WINDOWS_UWP) && \
+ !defined(CURL_DISABLE_CA_SEARCH) && !defined(CURL_CA_SEARCH_SAFE)
/* Search and set the CA cert file for Windows.
*
* Do not call this function if Schannel is the selected SSL backend. We allow
const TCHAR *bundle_file)
{
CURLcode result = CURLE_OK;
-
-#ifdef CURL_WINDOWS_UWP
- (void)config;
- (void)bundle_file;
-#else
DWORD res_len;
TCHAR buf[PATH_MAX];
TCHAR *ptr = NULL;
if(!config->cacert)
result = CURLE_OUT_OF_MEMORY;
}
-#endif
return result;
}
-
+#endif
/* Get a list of all loaded modules with full paths.
* Returns slist on success or NULL on error.
#ifdef _WIN32
+#if !defined(CURL_WINDOWS_UWP) && \
+ !defined(CURL_DISABLE_CA_SEARCH) && !defined(CURL_CA_SEARCH_SAFE)
CURLcode FindWin32CACert(struct OperationConfig *config,
const TCHAR *bundle_file);
+#endif
struct curl_slist *GetLoadedModulePaths(void);
CURLcode win32_init(void);
}
#ifdef _WIN32
- if(!env)
+ if(!env) {
+#if defined(CURL_CA_SEARCH_SAFE)
+ char *cacert = NULL;
+ FILE *cafile = Curl_execpath("curl-ca-bundle.crt", &cacert);
+ if(cafile) {
+ fclose(cafile);
+ config->cacert = strdup(cacert);
+ }
+#elif !defined(CURL_WINDOWS_UWP) && !defined(CURL_DISABLE_CA_SEARCH)
result = FindWin32CACert(config, TEXT("curl-ca-bundle.crt"));
+#endif
+ }
#endif
}
curl_easy_cleanup(curltls);
#include "tool_findfile.h"
#include "tool_msgs.h"
#include "tool_parsecfg.h"
+#include "tool_util.h"
#include "dynbuf.h"
#include "memdebug.h" /* keep this as LAST include */
#define MAX_CONFIG_LINE_LENGTH (10*1024*1024)
static bool my_get_line(FILE *fp, struct curlx_dynbuf *, bool *error);
-#ifdef _WIN32
-static FILE *execpath(const char *filename, char **pathp)
-{
- static char filebuffer[512];
- /* Get the filename of our executable. GetModuleFileName is already declared
- * via inclusions done in setup header file. We assume that we are using
- * the ASCII version here.
- */
- unsigned long len = GetModuleFileNameA(0, filebuffer, sizeof(filebuffer));
- if(len > 0 && len < sizeof(filebuffer)) {
- /* We got a valid filename - get the directory part */
- char *lastdirchar = strrchr(filebuffer, '\\');
- if(lastdirchar) {
- size_t remaining;
- *lastdirchar = 0;
- /* If we have enough space, build the RC filename */
- remaining = sizeof(filebuffer) - strlen(filebuffer);
- if(strlen(filename) < remaining - 1) {
- FILE *f;
- msnprintf(lastdirchar, remaining, "%s%s", DIR_CHAR, filename);
- *pathp = filebuffer;
- f = fopen(filebuffer, FOPEN_READTEXT);
- return f;
- }
- }
- }
-
- return NULL;
-}
-#endif
-
/* return 0 on everything-is-fine, and non-zero otherwise */
int parseconfig(const char *filename, struct GlobalConfig *global)
else {
char *fullp;
/* check for .curlrc then _curlrc in the dir of the executable */
- file = execpath(".curlrc", &fullp);
+ file = Curl_execpath(".curlrc", &fullp);
if(!file)
- file = execpath("_curlrc", &fullp);
+ file = Curl_execpath("_curlrc", &fullp);
if(file)
/* this is the filename we read from */
filename = fullp;
#include "tool_util.h"
+#include "curlx.h"
#include "memdebug.h" /* keep this as LAST include */
#if defined(_WIN32)
}
#endif /* USE_TOOL_FTRUNCATE */
+
+#ifdef _WIN32
+FILE *Curl_execpath(const char *filename, char **pathp)
+{
+ static char filebuffer[512];
+ unsigned long len;
+ /* Get the filename of our executable. GetModuleFileName is already declared
+ * via inclusions done in setup header file. We assume that we are using
+ * the ASCII version here.
+ */
+ len = GetModuleFileNameA(0, filebuffer, sizeof(filebuffer));
+ if(len > 0 && len < sizeof(filebuffer)) {
+ /* We got a valid filename - get the directory part */
+ char *lastdirchar = strrchr(filebuffer, DIR_CHAR[0]);
+ if(lastdirchar) {
+ size_t remaining;
+ *lastdirchar = 0;
+ /* If we have enough space, build the RC filename */
+ remaining = sizeof(filebuffer) - strlen(filebuffer);
+ if(strlen(filename) < remaining - 1) {
+ msnprintf(lastdirchar, remaining, "%s%s", DIR_CHAR, filename);
+ *pathp = filebuffer;
+ return fopen(filebuffer, FOPEN_READTEXT);
+ }
+ }
+ }
+
+ return NULL;
+}
+#endif
int struplocompare(const char *p1, const char *p2);
int struplocompare4sort(const void *p1, const void *p2);
+#ifdef _WIN32
+FILE *Curl_execpath(const char *filename, char **pathp);
+#endif
+
#endif /* HEADER_CURL_TOOL_UTIL_H */
#endif
#ifndef CURL_HAVE_SHA512_256
"sha512-256",
+#endif
+#ifdef _WIN32
+#if defined(CURL_WINDOWS_UWP) || \
+ defined(CURL_DISABLE_CA_SEARCH) || defined(CURL_CA_SEARCH_SAFE)
+ "win32-ca-searchpath",
+#endif
+#ifndef CURL_CA_SEARCH_SAFE
+ "win32-ca-search-safe",
+#endif
#endif
NULL
};
projects / thirdparty / curl.git / commitdiff
