--On 17 April 2010 23:52:21 +0200 Daniel Stenberg <daniel_at_haxx.se> wrote:

>> Perfect, thanks. Reading the patch I see telnet urls (interalia) are not
>> disabled. Given these can in theory specify a port address (per RFC1738)
>> telnet://<user>:<password>@<host>:<port>/
>
> Yes they can. But why would that be a problem?

In the use case I mentioned, the machine might be behind some form
of packet filtering firewall which can give people a false sense
of security. Whilst admittedly a miscreant can e.g. do a redirect to
http://127.0.0.1:23/ or similar, at least the command is always going
to be prefixed by "get".

>> is there some environment variable or similar I can set to restrict curl
>> protocols (or redirect protocols) with the curl binary (this appears to
>> be CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS in libcurl)
>
> Nope. Nobody has made it do that nor requested the functionality before...

Would you accept a patch to allow command line options
   --proto PROTOLIST
   --no-proto PROTOLIST
   --redir-proto PROTOLIST
   --no-redir-proto PROTOLIST
where protolist is a comma separated list of protocols and/or 'all',
and all options are evaluated left to right, starting with the
currently allowed protocols? So, e.g.
   --no-proto all --proto http,https
would only allow http and https.

I'm presuming all I need do is go tweak current library variables.

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html