cURL / Mailing Lists / curl-users / Single Mail


Re: curl and http redirects; possible security implications

From: Alex Bligh <>
Date: Mon, 19 Apr 2010 18:42:09 +0100

--On 19 April 2010 14:51:07 +0200 Daniel Stenberg <> wrote:

>> Just trying to please everyone. My preference would be for "-" as it's
>> the most logical given "+" and "=", notwithstanding the option
>> confusion. Apart from that, I prefer ~ to ! on the basis of minimising
>> shell escapes. If you are happy with using "-", I will delete the two
>> case: statements for ~ and !.
> I would prefer just '-'!

OK, I will make that change (or you can - it's merely deleting
two lines).

> Speaking of this, it struck me that you should probably allow the feature
> to try to change protocols that it doesn't know about so that it is
> suitable future-proof. I'm thinking about the case where a future curl
> introduces support for the COFFEE protocol but somone dislikes it and use
> "--proto -coffee", and then they copy that command line back to a 7.20.1
> curl which doesn't know about coffee at all.
> Of course, a downside would be that a misspelled protocol isn't detected.
> Perhaps it is enough if we use warnf() to inform about unknown protocols
> that are mentioned?

How about I make '~' or something an additional prefix which ignored the
option if it wasn't recognised? IE you could do "--proto -~coffee" to
disable coffee support but ignore it if coffee was not understood. That's a
pretty trivial change. You then get proper error handling in the normal
case, but the person who wants to use a back-compatible command line
can do so without parsing the output of curl -V.

Alex Bligh
List admin:
Received on 2010-04-19