Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Idea: voluntary restricting curl (use)

From: James Fuller via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 14 Jan 2019 12:06:35 +0100

alternately instead of restriction we could warn people better with
just more log messages with a warning log level and maybe --warning
switch.

Jim Fuller

On Mon, 14 Jan 2019 at 11:31, Daniel Stenberg via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> On Mon, 14 Jan 2019, Mischa Salle via curl-library wrote:
>
> > Hmm, not sure this would add very much, but on the other hand could indeed
> > as Ray points out break things in unexpected ways and make life in general
> > more complicated.
>
> Sure, users who'd decide to restrict curl would probably get it "more
> complicated" in some ways but that's by choice and that also saves them from
> using applications/scripts in ways they don't approve of. A complication that
> brings benefits.
>
> If you don't care (which I assume most people won't), you don't set anything
> and then there's nothing extra!
>
> > If you want to add policies, I think you will be needing more than a simple
> > env variable, i.e. something like a config file.
>
> The problem with a config file is that it then becomes set for all curl
> invokes and not just the one from a specific shell, which an environment
> variable would do. I would also imagine that restricting curl like this would
> be something often done to test and experiment first and then you really don't
> want to affect any other scripts than the particular one you want to try out
> right now.
>
> Also suggested a environment variable because it is easy to play with from a
> user's stand-point.
>
> > In any case you need the cooperation of the script/program calling
> > curl as it would be trivial to circumvent (declare -r doesn't help).
>
> Why would a script/application author actively work against this? I don't
> understand what motivations such developers would have. I mean the typical
> well-meaning ones, not the rare malicious or misinformed developers who I of
> course acknowledge exist but I think is a very small minority.
>
> A developer who wants a script or program to run and use an insecure protocol
> for example, they do that for a reason as they perhaps only have access to a
> service over that protocol. Why would they try to trick their users into
> believing they're not using those insecure protocols?
>
> Maybe I'm just too much of an optimist! =)
>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-14