Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Idea: voluntary restricting curl (use)

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 14 Jan 2019 11:20:39 +0100 (CET)

On Mon, 14 Jan 2019, Mischa Salle via curl-library wrote:

> Hmm, not sure this would add very much, but on the other hand could indeed
> as Ray points out break things in unexpected ways and make life in general
> more complicated.

Sure, users who'd decide to restrict curl would probably get it "more
complicated" in some ways but that's by choice and that also saves them from
using applications/scripts in ways they don't approve of. A complication that
brings benefits.

If you don't care (which I assume most people won't), you don't set anything
and then there's nothing extra!

> If you want to add policies, I think you will be needing more than a simple
> env variable, i.e. something like a config file.

The problem with a config file is that it then becomes set for all curl
invokes and not just the one from a specific shell, which an environment
variable would do. I would also imagine that restricting curl like this would
be something often done to test and experiment first and then you really don't
want to affect any other scripts than the particular one you want to try out
right now.

Also suggested a environment variable because it is easy to play with from a
user's stand-point.

> In any case you need the cooperation of the script/program calling
> curl as it would be trivial to circumvent (declare -r doesn't help).

Why would a script/application author actively work against this? I don't
understand what motivations such developers would have. I mean the typical
well-meaning ones, not the rare malicious or misinformed developers who I of
course acknowledge exist but I think is a very small minority.

A developer who wants a script or program to run and use an insecure protocol
for example, they do that for a reason as they perhaps only have access to a
service over that protocol. Why would they try to trick their users into
believing they're not using those insecure protocols?

Maybe I'm just too much of an optimist! =) 

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-14