On Tue, Feb 6, 2018 at 4:52 AM Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Tue, 6 Feb 2018, Christian Schmitz wrote:
>
> > Can we disallow login & password in URLs? e.g. get an option to make
> perform
> > fail with error, if there is a @ in the URL before domain?
>
> That seems like it should be a pretty straight forward thing to add, sure!
>
> But in the context of "dangerous things", how do see the user + password in
> the URL used to harm the application or the server?
>

If it’s a good idea at all, would a sane implementation method (and
generalization) be string blacklisting (maybe preloaded w “@“, etc, for
example)? I don’t have the cURL src in front of me, and I don’t know if
“components” are testable (I.e..: “the part before the domain”), or if a
regexp would fit the bill (or, perhaps both, instead of positing a false
dichotomy, and being aware of “The Center Cannot Hold”[0]). Not entirely
clear something like this “belongs” in cURL, but if there’s enough interest
and value, probably good to have something centralized. “@“ turned out to
be more interesting to me than I’d have imagined...

[0] https://stackoverflow.com/a/1732454

> > And the Use SSL options being 3 would it fail with http:// URL?
>
> CURLOPT_PROTOCOLS is the option to enable/disable specific protocols.
> There's
> no generic "disable all non-authenticated protocols" option.
>
> Of course, an interesting idea is to let CURLOPT_USE_SSL affect *all*
> protocols so that you can require TLS/SSL to be used with that option even
> for
> HTTP(S). But that's not how that option works right now...
>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-02-06