From bf04b07327a5d2a7197df36daaa764b8ad5706e4 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 15 Jun 2023 15:00:28 +0200
Subject: dirmngr: New option --compatibility-flags.

* dirmngr/dirmngr.c (oCompatibilityFlags): NEw.
(opts): Add option --compatibility-flags.
(compatibility_flags): New.
(parse_rereadable_options): Parse them.
---
 dirmngr/dirmngr.h | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'dirmngr/dirmngr.h')

diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index 1128e118b..5571d6181 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -154,6 +154,9 @@ struct
                                        current after nextUpdate. */
 
   strlist_t keyserver;              /* List of default keyservers.  */
+
+  /* Compatibility flags (COMPAT_FLAG_xxxx).  */
+  unsigned int compat_flags;
 } opt;
 
 
@@ -182,6 +185,18 @@ struct
 #define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE)
 #define DBG_KEEPTMP (opt.debug & DBG_KEEPTMP_VALUE)
 
+/* Compatibility flags */
+
+/* Since version 2.2.12 dirmngr restricted HTTP redirection in an
+ * attempt to mitigate certain CSRF attacks.  It turned out that this
+ * breaks too many WKD deployments and that the attack scenario is not
+ * due to gnupg's redirecting but due to insecure configured systems.
+ * Thus from 2.4.3 on we disable this restriction but allow to use the
+ * old behaviour by using this compatibility flag.  For details see
+ * https://dev.gnupg.org/T6477.  */
+#define COMPAT_RESTRICT_HTTP_REDIR   1
+
+
 /* A simple list of certificate references.  FIXME: Better use
    certlist_t also for references (Store NULL at .cert) */
 struct cert_ref_s
-- 
cgit v1.2.3