libcpr
libcurl CURLOPT_SSL_OPTIONS are not managed correctly
Description
In libcurl, CURLOPT_SSL_OPTIONS are designed to be given all together, since each call to curl_easy_setopt (on the same handle) will actually cancel any previous one by overwriting all the options (check here: https://github.com/curl/curl/blob/master/lib/setopt.c#L2364).
However, libcpr is setting this option multiple times with different values.
Affected code:
- https://github.com/libcpr/cpr/blob/master/cpr/session.cpp#L534
- https://github.com/libcpr/cpr/blob/master/cpr/session.cpp#L200
- Also, this line probably causes undefined behavior because we are passing a
long*, while it expects along
- Also, this line probably causes undefined behavior because we are passing a
Example/How to Reproduce
curl_easy_setopt(session.GetCurlHolder()->handle, CURLOPT_SSL_OPTIONS, <custom_options>);
Response r = session.Get(); // option set above is not respected
Possible Fix
The overall handling of SslOptions needs to be fixed in libcpr, by OR-ing all the options together and passing them in one single setopt call.
Possibly, CURLOPT_SSL_OPTIONS should be set only from SetSslOptions method and not from prepareCommonShared or similar, to also allow the user to override the value using the direct curl handle, like the following:
curl_easy_setopt(session.GetCurlHolder()->handle, CURLOPT_SSL_OPTIONS, <custom_options>);
Response r = session.Get();
Where did you get it from?
vcpkg
Additional Context/Your Environment
- OS: any
- Version: any
