Limit cURL to protocols HTTP, HTTPS (#8713)

app/Controllers/updateController.php

@@ -229,6 +229,24 @@ class FreshRSS_update_Controller extends FreshRSS_ActionController {
 			curl_setopt($curlResource, CURLOPT_RETURNTRANSFER, true);
 			curl_setopt($curlResource, CURLOPT_SSL_VERIFYPEER, true);
 			curl_setopt($curlResource, CURLOPT_SSL_VERIFYHOST, 2);
+
+			$curl_options = [];
+			if (defined('CURLOPT_PROTOCOLS_STR')) {
+				$curl_options[CURLOPT_PROTOCOLS_STR] = 'http,https';
+				if (defined('CURLOPT_REDIR_PROTOCOLS_STR')) {
+					$curl_options[CURLOPT_REDIR_PROTOCOLS_STR] = 'http,https';
+				}
+			} elseif (defined('CURLPROTO_HTTP') && defined('CURLPROTO_HTTPS')) {
+				// Legacy PHP 8.2-
+				if (defined('CURLOPT_PROTOCOLS')) {
+					$curl_options[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+				}
+				if (defined('CURLOPT_REDIR_PROTOCOLS')) {
+					$curl_options[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+				}
+			}
+			curl_setopt_array($curlResource, $curl_options);
+
 			$result = curl_exec($curlResource);
 			$curlGetinfo = curl_getinfo($curlResource, CURLINFO_HTTP_CODE);
 			$curlError = curl_error($curlResource);

app/Models/Feed.php

@@ -1455,6 +1455,24 @@ class FreshRSS_Feed extends Minz_Model {
 				CURLOPT_ACCEPT_ENCODING => '',	//Enable all encodings
 				//CURLOPT_VERBOSE => 1,	// To debug sent HTTP headers
 			]);
+
+			$curl_options = [];
+			if (defined('CURLOPT_PROTOCOLS_STR')) {
+				$curl_options[CURLOPT_PROTOCOLS_STR] = 'http,https';
+				if (defined('CURLOPT_REDIR_PROTOCOLS_STR')) {
+					$curl_options[CURLOPT_REDIR_PROTOCOLS_STR] = 'http,https';
+				}
+			} elseif (defined('CURLPROTO_HTTP') && defined('CURLPROTO_HTTPS')) {
+				// Legacy PHP 8.2-
+				if (defined('CURLOPT_PROTOCOLS')) {
+					$curl_options[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+				}
+				if (defined('CURLOPT_REDIR_PROTOCOLS')) {
+					$curl_options[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+				}
+			}
+			curl_setopt_array($ch, $curl_options);
+
 			$response = curl_exec($ch);
 			$info = curl_getinfo($ch);
 			if (!is_array($info)) {

app/Models/SimplePieCustom.php

@@ -44,6 +44,20 @@ final class FreshRSS_SimplePieCustom extends \SimplePie\SimplePie
 				unset($curl_options[CURLOPT_PROXY]);
 			}
 		}
+		if (defined('CURLOPT_PROTOCOLS_STR')) {
+			$curl_options[CURLOPT_PROTOCOLS_STR] = 'http,https';
+			if (defined('CURLOPT_REDIR_PROTOCOLS_STR')) {
+				$curl_options[CURLOPT_REDIR_PROTOCOLS_STR] = 'http,https';
+			}
+		} elseif (defined('CURLPROTO_HTTP') && defined('CURLPROTO_HTTPS')) {
+			// Legacy PHP 8.2-
+			if (defined('CURLOPT_PROTOCOLS')) {
+				$curl_options[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+			}
+			if (defined('CURLOPT_REDIR_PROTOCOLS')) {
+				$curl_options[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+			}
+		}
 		$this->set_curl_options($curl_options);
 
 		$this->strip_comments(true);

app/Utils/httpUtil.php

@@ -369,6 +369,21 @@ final class FreshRSS_http_Util {
 			}
 		}
 
+		if (defined('CURLOPT_PROTOCOLS_STR')) {
+			$curl_options[CURLOPT_PROTOCOLS_STR] = 'http,https';
+			if (defined('CURLOPT_REDIR_PROTOCOLS_STR')) {
+				$curl_options[CURLOPT_REDIR_PROTOCOLS_STR] = 'http,https';
+			}
+		} elseif (defined('CURLPROTO_HTTP') && defined('CURLPROTO_HTTPS')) {
+			// Legacy PHP 8.2-
+			if (defined('CURLOPT_PROTOCOLS')) {
+				$curl_options[CURLOPT_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+			}
+			if (defined('CURLOPT_REDIR_PROTOCOLS')) {
+				$curl_options[CURLOPT_REDIR_PROTOCOLS] = CURLPROTO_HTTP | CURLPROTO_HTTPS;
+			}
+		}
+
 		curl_setopt_array($ch, $curl_options);
 
 		$body = curl_exec($ch);