Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: "URLs are dangerous things"

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Tue, 6 Feb 2018 15:37:54 +0100

On Tue, Feb 06, 2018 at 08:24:41AM +0100, Daniel Stenberg wrote:
> Every now and then we get security problems reported to us that are really
> just various types of attacks you can do if you can either A) modify the url
> your curl application is using and/or B) have a server respond with a
> perfectly fine protocol-wise but malicious response to curl.
>
> Letting users freely set the URL, or parts of the URL, for your curl-using
> application can get consequences.
>
> I've started to document exactly what consequences and how:

There looks like a large degree of overlap with
https://curl.haxx.se/libcurl/c/libcurl-tutorial.html#Security Perhaps that
document could be expanded instead of duplicating the info.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-02-06