curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Warning: using file:// on Windows with curl

From: Jeffrey Walton via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 16 Mar 2020 03:30:58 -0400

On Mon, Mar 16, 2020 at 3:19 AM Daniel Stenberg via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> This is a general note and warning to users of curl and libcurl running on
> Windows and using FILE:// transfers.
>
> The Windows operating system will automatically, and without any way for
> applications to disable it, try to establish a connection to another host over
> the network and access it (over SMB or other protocols), if only the correct
> file path is accessed.
>
> When first realizing this, the curl team tried to filter out such attempts in
> order to protect applications for inadvertent probes of for example internal
> networks etc. This resulted in CVE-2019-15601 and the associated security fix.
> ...
> The conclusion we have come to is that this is a weakness or feature in the
> Windows operating system itself, that we as an application cannot safely
> protect users against. It would just be a whack-a-mole race we don't want to
> participate in. There are too many ways to do it and there's no knob we can
> use to turn off the practice.

Yes, the feature is baked into the Windows network redirector. If it
is a bug, then it is a Microsoft redirector bug, not a cURL bug.

How did someone manage to get CVE-2019-15601 assigned to cURL for
this? More useless crap from snake oil firms?

Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-03-16