Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Idea: voluntary restricting curl (use)

From: bch via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 10 Jan 2019 15:22:33 -0800

On Thu, Jan 10, 2019 at 2:56 PM bch <brad.harder_at_gmail.com> wrote:

>
>
> On Thu, Jan 10, 2019 at 2:30 PM Daniel Stenberg via curl-library <
> curl-library_at_cool.haxx.se> wrote:
>
>> Hey,
>>
>> I want to test an idea on you all before I proceed and do anything else
>> with
>> it. I need your input, your critique and perhaps your suggestions on how
>> to
>> make into an awesome idea.
>>
>> The problem
>>
>> You - as a user - run programs and scripts that themselves use libcurl
>> or
>> just the command line curl, in ways that you don't approve of. Even if
>> the
>> program or script was written to do use that feature.
>>
>> The solution
>>
>> The all new `CURL_INHIBIT` environment variable, that is parsed by
>> libcurl
>> and can be used to make libcurl avoid certain behaviors.
>>
>> Using this, you can voluntary raise the bar for what's accepted, to
>> prevent
>> scripts and programs from for example using insecure protocols etc.
>>
>> The variable should contain a comma-separated list of named
>> restrictions. The
>> restrictions available are listed below, but other ones may be added in
>> later
>> libcurl versions (and older may be removed). Unknown or just misspelled
>> restrictions will be silently ignored.
>>
>> Restrictions should be named to identify what is *inhibited* by it.
>>
>
>
> I’m only parking this all quickly, but:
>

*parsing this all quickly...

> Consider
>
> 1) having a diagnostic-requesting env var that perhaps dumps state of what
> cURL was trying to do
>
> 2) whitelisting *allowances* instead of blacklisting denials
>
> -bch
>
>
>
>> The general idea here is that applications and scripts using curl can't
>> change or work around restrictions set in this variable!
>>
>> Restrictions
>>
>> Here are three that I immediately came to think of. I'd be interested in
>> adding others to the list if you can think of some!
>>
>> 'clear-text'
>>
>> When set, this will make libcurl avoid downloads over clear-text
>> connections.
>> The transfer MUST be encrypted or trigger an error (`CURLE_INIHIBITED`).
>>
>> 'user-in-url'
>>
>> When set, this is the equivalent of the application setting the
>> `CURLOPT_DISALLOW_USERNAME_IN_URL` option. It will prevent libcurl from
>> accepting URLs with embedded user names.
>>
>> 'insecure-https'
>>
>> When set, this will make transfers that are attempted with server
>> certificate
>> validation disabled to fail.
>>
>> Anything you think you would ever use and appreciate?
>>
>> --
>>
>> / daniel.haxx.se
>> -------------------------------------------------------------------
>> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: https://curl.haxx.se/mail/etiquette.html
>
>

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-11