From 7158a00f4450d72ba064e11d0c690b64ae39c3ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tam=C3=A1s=20B=C3=A1lint=20Misius?= <lbphacker@gmail.com>
Date: Fri, 2 Aug 2019 01:31:02 +0200
Subject: [PATCH] Prevent protocol downgrade attacks

---
 src/Config.h                | 1 +
 src/client/http/Request.cpp | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/src/Config.h b/src/Config.h
index edc7930c7..4e97f6fdb 100644
--- a/src/Config.h
+++ b/src/Config.h
@@ -89,6 +89,7 @@
 #define SERVER "powdertoy.co.uk"
 #define STATICSCHEME "https://"
 #define STATICSERVER "static.powdertoy.co.uk"
+#define ENFORCE_HTTPS
 
 #define LOCAL_SAVE_DIR "Saves"
 
diff --git a/src/client/http/Request.cpp b/src/client/http/Request.cpp
index 6301bc23a..d42bf024e 100644
--- a/src/client/http/Request.cpp
+++ b/src/client/http/Request.cpp
@@ -157,6 +157,14 @@ namespace http
 #endif
 
 			curl_easy_setopt(easy, CURLOPT_FOLLOWLOCATION, 1L);
+#ifdef ENFORCE_HTTPS
+			curl_easy_setopt(easy, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
+			curl_easy_setopt(easy, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
+#else
+			curl_easy_setopt(easy, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS | CURLPROTO_HTTP);
+			curl_easy_setopt(easy, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS | CURLPROTO_HTTP);
+#endif
+			curl_easy_setopt(easy, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
 			curl_easy_setopt(easy, CURLOPT_MAXREDIRS, 10L);
 
 			curl_easy_setopt(easy, CURLOPT_ERRORBUFFER, error_buffer);