Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Feature suggestion to block Curl from connecting reserved and private IP addresses
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Cristian Rodríguez via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 14 Dec 2021 06:52:36 -0300
On Tue, Dec 14, 2021 at 5:02 AM Ayesh Karunaratne via curl-library
<curl-library_at_lists.haxx.se> wrote:
> I would like to request a feature that can be used to request Curl to
> abort the connection if it attempts to connect to a private or
> reserved IP address. For example, a CURLOPT_BLOCK_PRIVATE_IP and
> CURLOPT_BLOCK_RESERVED_IP pair that accepts a true/false value, and
> blocks IPv4 and IPv6 private/reserved IP ranges. This is effectively
> writing a CURLOPT_PREREQFUNCTION callback that does this in userland
> code, but made easier by Curl itself. I understand that these toggles
> might be redundant because one could write any selective blocking
> pattern with CURLOPT_PREREQFUNCTION, but I'm really seeing these
> options making things a lot easier for the layman.
Curl is the wrong layer to do this, use a firewall.. or ip route.add
blackhole.. . and if your problem is that you also want to fail name
resolution most dns software has an option to return nxdomain on
records containing rfc1918 address, or also arbitrary user-defined
network prefixes.
Now .. this is all papering over broken stuff..just use a secure
protocol. Nowadays there are a myriad of options with different levels
of performance and security models.
Date: Tue, 14 Dec 2021 06:52:36 -0300
On Tue, Dec 14, 2021 at 5:02 AM Ayesh Karunaratne via curl-library
<curl-library_at_lists.haxx.se> wrote:
> I would like to request a feature that can be used to request Curl to
> abort the connection if it attempts to connect to a private or
> reserved IP address. For example, a CURLOPT_BLOCK_PRIVATE_IP and
> CURLOPT_BLOCK_RESERVED_IP pair that accepts a true/false value, and
> blocks IPv4 and IPv6 private/reserved IP ranges. This is effectively
> writing a CURLOPT_PREREQFUNCTION callback that does this in userland
> code, but made easier by Curl itself. I understand that these toggles
> might be redundant because one could write any selective blocking
> pattern with CURLOPT_PREREQFUNCTION, but I'm really seeing these
> options making things a lot easier for the layman.
Curl is the wrong layer to do this, use a firewall.. or ip route.add
blackhole.. . and if your problem is that you also want to fail name
resolution most dns software has an option to return nxdomain on
records containing rfc1918 address, or also arbitrary user-defined
network prefixes.
Now .. this is all papering over broken stuff..just use a secure
protocol. Nowadays there are a myriad of options with different levels
of performance and security models.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-12-14