cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: "The Most Dangerous Code in the World"

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Sat, 27 Oct 2012 13:18:37 -0600

On Oct 27, 2012, at 4:46 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> I thus suggest we simply ban 1 as a value in an upcoming release. This will fource users to use 2 instead and when copying such code back to older libcurl-using code that will improve the code running there as well!
>
> See my attached patch that does exactly this. As this *will* cause one or two legitimate users get an error I'm very interested in further feedback.

I'm okay with this.

Here is a patch that rolls this out to curl_darwinssl.c as well. I noticed that my code had always ignored that option. Now, before you panic and start writing up a CVE, let me point out that it always ignored that option and always verified the domain name unless the host in the URL was an IP address. There just wasn't any way to turn that off.

This patch makes it possible to disable that check, just like in the other TLS/SSL back-ends. Please add this onto your patch.

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2012-10-27