From 9a86ca2646b70e5190255e8488888f6dab7e137c Mon Sep 17 00:00:00 2001 From: Alessandro Bitetto Date: Fri, 12 Jun 2026 11:35:41 +0200 Subject: [PATCH] fix: enable TLS certificate verification in FileTransporter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The cURL-based file transporter disabled peer certificate verification on Linux (CURLOPT_SSL_VERIFYPEER, 0L) for both downloads and uploads, based on the outdated premise that "Linux doesn't have root certificates". Modern distributions ship a system CA bundle, so this only served to make every HTTPS transfer vulnerable to man-in-the-middle attacks — including uploads that can carry document data. Enable full verification explicitly (VERIFYPEER + VERIFYHOST) at both call sites so the secure default is documented and cannot be silently reintroduced. Platforms without a default CA bundle should configure one via CURLOPT_CAINFO/CURLOPT_CAPATH rather than disabling verification. Signed-off-by: Alessandro Bitetto --- .../src/FileTransporter_curl.cpp | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/Common/Network/FileTransporter/src/FileTransporter_curl.cpp b/Common/Network/FileTransporter/src/FileTransporter_curl.cpp index 1f57cb4c66..9191400121 100644 --- a/Common/Network/FileTransporter/src/FileTransporter_curl.cpp +++ b/Common/Network/FileTransporter/src/FileTransporter_curl.cpp @@ -113,11 +113,12 @@ namespace NSNetwork //curl_easy_setopt(curl, CURLOPT_NOPROGRESS, FALSE); // Install the callback function //curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progress_func); -#if defined(__linux__) - //Linux doesn't have root certificates built into the system, so we disable verification - //http://curl.haxx.se/docs/sslcerts.html - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); -#endif + // Verify the peer's TLS certificate against the system CA store. + // These are libcurl defaults; set explicitly so the bypass is not + // reintroduced. If a platform lacks a default CA bundle, configure + // it via CURLOPT_CAINFO/CURLOPT_CAPATH rather than disabling verification. + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); /* tell libcurl to follow redirection(default false) */ curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); /* some servers don't like requests that are made without a user-agent field, so we provide one */ @@ -173,11 +174,12 @@ namespace NSNetwork curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_data_to_string); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &readBuffer); -#if defined(__linux__) - //Linux doesn't have root certificates built into the system, so we disable verification - //http://curl.haxx.se/docs/sslcerts.html - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); -#endif + // Verify the peer's TLS certificate against the system CA store. + // These are libcurl defaults; set explicitly so the bypass is not + // reintroduced. If a platform lacks a default CA bundle, configure + // it via CURLOPT_CAINFO/CURLOPT_CAPATH rather than disabling verification. + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); /* Perform the request, res will get the return code */ res = curl_easy_perform(curl);