curl-users
Re: curl and http redirects; possible security implications
Date: Sun, 18 Apr 2010 14:12:46 +0100
--On 17 April 2010 23:52:21 +0200 Daniel Stenberg <daniel_at_haxx.se> wrote:
>> Perfect, thanks. Reading the patch I see telnet urls (interalia) are not
>> disabled. Given these can in theory specify a port address (per RFC1738)
>> telnet://<user>:<password>@<host>:<port>/
>
> Yes they can. But why would that be a problem?
In the use case I mentioned, the machine might be behind some form
of packet filtering firewall which can give people a false sense
of security. Whilst admittedly a miscreant can e.g. do a redirect to
http://127.0.0.1:23/ or similar, at least the command is always going
to be prefixed by "get".
>> is there some environment variable or similar I can set to restrict curl
>> protocols (or redirect protocols) with the curl binary (this appears to
>> be CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS in libcurl)
>
> Nope. Nobody has made it do that nor requested the functionality before...
Would you accept a patch to allow command line options
--proto PROTOLIST
--no-proto PROTOLIST
--redir-proto PROTOLIST
--no-redir-proto PROTOLIST
where protolist is a comma separated list of protocols and/or 'all',
and all options are evaluated left to right, starting with the
currently allowed protocols? So, e.g.
--no-proto all --proto http,https
would only allow http and https.
I'm presuming all I need do is go tweak current library variables.
-- Alex Bligh ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-users FAQ: http://curl.haxx.se/docs/faq.html Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2010-04-18