]> de.git.xonotic.org Git - xonotic/darkplaces.git/blobdiff - libcurl.c
projects / xonotic / darkplaces.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
curl: reject file:// URLs
[xonotic/darkplaces.git] / libcurl.c
diff --git a/libcurl.c b/libcurl.c
index 7c9b7dbdf0060802087ef8769881a7d686a8ddbc..bfbc1f13151c333fbe7196720db602667f0d6b4b 100644 (file)
--- a/libcurl.c
+++ b/libcurl.c
@@ -736,6 +736,14 @@ static qboolean Curl_Begin(const char *URL, const char *name, qboolean ispak, qb
                        }
                }
 
+               // if we get here, we actually want to download... so first verify the
+               // URL scheme (so one can't read local files using file://)
+               if(strncmp(URL, "http://", 7) && strncmp(URL, "ftp://", 6) && strncmp(URL, "https://", 8))
+               {
+                       Con_Printf("Curl_Begin(\"%s\")): nasty URL scheme rejected\n", URL);
+                       return false;
+               }
+
                if(forthismap)
                        ++numdownloads_added;
                di = (downloadinfo *) Z_Malloc(sizeof(*di));