curl: add options for safe/no CA bundle search (Windows)

Add `CURL_CA_SEARCH_SAFE` build-time option to enable CA bundle search
in the `curl` tool directory. The lookup method was already used to find
`.curlrc` and `_curlrc` (on Windows). On Windows it overrides the unsafe
default `SearchPath()` method.

Enable with:
- cmake: `-DCURL_CA_SEARCH_SAFE=ON`
- autotools: `--enable-ca-search-safe`
- raw: `CPPFLAGS=-DCURL_CA_SEARCH_SAFE`

On Windows, before this patch the whole `PATH` was searched for
a CA bundle. `PATH` may contain unwanted or world-writable locations,
including the current directory. Searching them all is convenient to
pick up any CA bundle, but not secure.

The Muldersoft curl distro implements such CA search via a custom
patch for Windows:
cd652d4792/patch/curl_tool_doswin.diff (L50)

MSYS2/mingw-w64 distro has also been rolling a patch solving this:
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/0001-Make-cURL-relocatable.patch
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/pathtools.c

Also add option to fully disable Windows CA search:
- cmake: `-DCURL_DISABLE_CA_SEARCH=ON`
- autotools: `--disable-ca-search`
- raw: `CPPFLAGS=-DCURL_DISABLE_CA_SEARCH`.

Both options are considered EXPERIMENTAL, with possible incompatible
changes or even (partial) removal in the future, depending on feedback.

An alternative, secure option is to embed the CA bundle into the binary.

Safe search can be extended to other platforms if necessary or useful,
by using `_NSGetExecutablePath()` (macOS),
`/proc/self/exe` (Linux/Cygwin), or `argv[0]`.

Closes #14582

2024-09-22 18:17:25 +02:00

3.2 KiB

Raw Blame History

Code defines to disable features and protocols

`CURL_DISABLE_ALTSVC`

Disable support for Alt-Svc: HTTP headers.

`CURL_DISABLE_BINDLOCAL`

Disable support for binding the local end of connections.

`CURL_DISABLE_COOKIES`

Disable support for HTTP cookies.

`CURL_DISABLE_BASIC_AUTH`

Disable support for the Basic authentication methods.

`CURL_DISABLE_BEARER_AUTH`

Disable support for the Bearer authentication methods.

`CURL_DISABLE_DIGEST_AUTH`

Disable support for the Digest authentication methods.

`CURL_DISABLE_KERBEROS_AUTH`

Disable support for the Kerberos authentication methods.

`CURL_DISABLE_NEGOTIATE_AUTH`

Disable support for the negotiate authentication methods.

`CURL_DISABLE_AWS`

Disable AWS-SIG4 support.

`CURL_DISABLE_CA_SEARCH`

Disable unsafe CA bundle search in PATH on Windows.

`CURL_DISABLE_DICT`

Disable the DICT protocol

`CURL_DISABLE_DOH`

Disable DNS-over-HTTPS

`CURL_DISABLE_FILE`

Disable the FILE protocol

`CURL_DISABLE_FORM_API`

Disable the form API

`CURL_DISABLE_FTP`

Disable the FTP (and FTPS) protocol

`CURL_DISABLE_GETOPTIONS`

Disable the curl_easy_options API calls that lets users get information about existing options to curl_easy_setopt.

`CURL_DISABLE_GOPHER`

Disable the GOPHER protocol.

`CURL_DISABLE_HEADERS_API`

Disable the HTTP header API.

`CURL_DISABLE_HSTS`

Disable the HTTP Strict Transport Security support.

`CURL_DISABLE_HTTP`

Disable the HTTP(S) protocols. Note that this then also disable HTTP proxy support.

`CURL_DISABLE_HTTP_AUTH`

Disable support for all HTTP authentication methods.

`CURL_DISABLE_IMAP`

Disable the IMAP(S) protocols.

`CURL_DISABLE_LDAP`

Disable the LDAP(S) protocols.

`CURL_DISABLE_LDAPS`

Disable the LDAPS protocol.

`CURL_DISABLE_LIBCURL_OPTION`

Disable the --libcurl option from the curl tool.

`CURL_DISABLE_MIME`

Disable MIME support.

`CURL_DISABLE_MQTT`

Disable MQTT support.

`CURL_DISABLE_NETRC`

Disable the netrc parser.

`CURL_DISABLE_NTLM`

Disable support for NTLM.

`CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG`

Disable the auto load config support in the OpenSSL backend.

`CURL_DISABLE_PARSEDATE`

Disable date parsing

`CURL_DISABLE_POP3`

Disable the POP3 protocol

`CURL_DISABLE_PROGRESS_METER`

Disable the built-in progress meter

`CURL_DISABLE_PROXY`

Disable support for proxies

`CURL_DISABLE_IPFS`

Disable the IPFS/IPNS protocols. This affects the curl tool only, where IPFS/IPNS protocol support is implemented.

`CURL_DISABLE_RTSP`

Disable the RTSP protocol.

`CURL_DISABLE_SHA512_256`

Disable the SHA-512/256 hash algorithm.

`CURL_DISABLE_SHUFFLE_DNS`

Disable the shuffle DNS feature

`CURL_DISABLE_SMB`

Disable the SMB(S) protocols

`CURL_DISABLE_SMTP`

Disable the SMTP(S) protocols

`CURL_DISABLE_SOCKETPAIR`

Disable the use of socketpair() internally to allow waking up and canceling curl_multi_poll().

`CURL_DISABLE_TELNET`

Disable the TELNET protocol

`CURL_DISABLE_TFTP`

Disable the TFTP protocol

`CURL_DISABLE_VERBOSE_STRINGS`

Disable verbose strings and error messages.

3.2 KiB Raw Blame History

Code defines to disable features and protocols

CURL_DISABLE_ALTSVC

CURL_DISABLE_BINDLOCAL

CURL_DISABLE_COOKIES

CURL_DISABLE_BASIC_AUTH

CURL_DISABLE_BEARER_AUTH

CURL_DISABLE_DIGEST_AUTH

CURL_DISABLE_KERBEROS_AUTH

CURL_DISABLE_NEGOTIATE_AUTH

CURL_DISABLE_AWS

CURL_DISABLE_CA_SEARCH

CURL_DISABLE_DICT

CURL_DISABLE_DOH

CURL_DISABLE_FILE

CURL_DISABLE_FORM_API

CURL_DISABLE_FTP

CURL_DISABLE_GETOPTIONS

CURL_DISABLE_GOPHER

CURL_DISABLE_HEADERS_API

CURL_DISABLE_HSTS

CURL_DISABLE_HTTP

CURL_DISABLE_HTTP_AUTH

CURL_DISABLE_IMAP

CURL_DISABLE_LDAP

CURL_DISABLE_LDAPS

CURL_DISABLE_LIBCURL_OPTION

CURL_DISABLE_MIME

CURL_DISABLE_MQTT

CURL_DISABLE_NETRC

CURL_DISABLE_NTLM

CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG

CURL_DISABLE_PARSEDATE

CURL_DISABLE_POP3

CURL_DISABLE_PROGRESS_METER

CURL_DISABLE_PROXY

CURL_DISABLE_IPFS

CURL_DISABLE_RTSP

CURL_DISABLE_SHA512_256

CURL_DISABLE_SHUFFLE_DNS

CURL_DISABLE_SMB

CURL_DISABLE_SMTP

CURL_DISABLE_SOCKETPAIR

CURL_DISABLE_TELNET

CURL_DISABLE_TFTP

CURL_DISABLE_VERBOSE_STRINGS