cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl and http redirects; possible security implications

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 17 Apr 2010 23:52:21 +0200 (CEST)

On Sat, 17 Apr 2010, Alex Bligh wrote:

>> They are prohibited by default since 7.19.4. See
>> http://curl.haxx.se/docs/adv_20090303.html
>
> Perfect, thanks. Reading the patch I see telnet urls (interalia) are not
> disabled. Given these can in theory specify a port address (per RFC1738)
> telnet://<user>:<password>@<host>:<port>/

Yes they can. But why would that be a problem?

> is there some environment variable or similar I can set to restrict curl
> protocols (or redirect protocols) with the curl binary (this appears to be
> CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS in libcurl)

Nope. Nobody has made it do that nor requested the functionality before...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-04-17