curl / Mailing Lists / curl-library / Single Mail


Re: Should curl package maintainers enable libidn2 by default or no?

From: Daniel Stenberg <>
Date: Tue, 31 Oct 2017 23:22:04 +0100 (CET)

On Tue, 31 Oct 2017, Ryan Schmidt wrote:

> Today's curl (7.56.1) automatically enables the use of libidn2, unless
> explicitly disabled via the --without-libidn2 configure flag.
> Do I take this to mean that curl with libidn2 is not considered dangerous
> anymore, and that it is now recommended for package maintainers to ship curl
> with libidn2 support enabled by default?

Well yes. libidn2 was never vulnerable for this problem so once we added
support for that and dropped libidn, we could again support IDN fine in curl.
libidn2 is another library than libidn.

> If so, is there a reason for us to give the user a way to disable that
> support or should we just enable it all the time? (In MacPorts, we prefer to
> limit user choices to the essentials; we don't expose every configure flag
> just because it's there.)

No, there's no known security reason to avoid enabling libidn2 in curl builds.
For generic curl builds I would recommend building with it so that users can
use international domain names in URLs.

Received on 2017-10-31