From a5bf6a36c53fd860c1e9ef92e60ec08a4ad8f8e7 Mon Sep 17 00:00:00 2001
From: Paul Dreik <github@pauldreik.se>
Date: Mon, 23 Sep 2019 13:11:49 +0200
Subject: doh: allow only http and https in debug mode

Otherwise curl may be told to use for instance pop3 to
communicate with the doh server, which most likely
is not what you want.

Found through fuzzing.

Closes #4406
---
 lib/doh.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/doh.c b/lib/doh.c
index 05a6cc235..196e89d93 100644
--- a/lib/doh.c
+++ b/lib/doh.c
@@ -264,6 +264,9 @@ static CURLcode dohprobe(struct Curl_easy *data,
 #ifndef CURLDEBUG
     /* enforce HTTPS if not debug */
     ERROR_CHECK_SETOPT(CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
+#else
+    /* in debug mode, also allow http */
+    ERROR_CHECK_SETOPT(CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS);
 #endif
     ERROR_CHECK_SETOPT(CURLOPT_TIMEOUT_MS, (long)timeout_ms);
     if(data->set.verbose)
-- 
cgit v1.2.1