Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CURLOPT_AUTOREFERER.3: highlight the privacy leak risk #9757

Closed
wants to merge 1 commit into from
Closed

CURLOPT_AUTOREFERER.3: highlight the privacy leak risk #9757

wants to merge 1 commit into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Oct 18, 2022

No description provided.

@vszakats
Copy link
Member

vszakats commented Oct 18, 2022
edited

I happen to use this option to retain a meaningful source URL when downloading certain files. GitHub ones are maybe the most trivial examples:

$ curl -LO --xattr https://github.com/curl/curl/releases/download/curl-7_85_0/curl-7.85.0.tar.xz
$ xattr -l curl-7.85.0.tar.xz
user.xdg.origin.url: https://objects.githubusercontent.com/github-production-release-asset-2e65be/
569041/ce852[...]a60?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AK[...]%2F20221018
%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20221018T[...]Z&X-Amz-Expires=300
&X-Amz-Signature=[...]&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=569041
&response-content-disposition=attachment%3B%20filename%3Dcurl-7.85.0.tar.xz
&response-content-type=application%2Foctet-stream

That is a temporary URL, so unusable for re-download, and non-trivial even to find out which repo it came from.

Workaround:

$ curl --referer ';auto' -LO --xattr https://github.com/curl/curl/releases/download/curl-7_85_0/curl-7.85.0.tar.xz
$ xattr -l curl-7.85.0.tar.xz
user.xdg.origin.url: [...as above...]
user.xdg.referrer.url: https://github.com/curl/curl/releases/download/curl-7_85_0/curl-7.85.0.tar.xz

The referrer now points to the original URL.

This is a rather bad solution with unwanted side-effects, loss-of-privacy being just one of them.

This use-case might be fixed by storing the original URL (after unglobbing) to user.xdg.origin.url. By default, or with an extra option?

@bagder
Copy link
Member Author

bagder commented Oct 18, 2022

This use-case might be fixed by storing the original URL

Maybe that is actually the more correct action, as that is after all the URL you used in the command line...

Slightly unrelated to this PR though. I will proceed and merge this. Feel free to create an issue about your remark and we can work on it.

@bagder bagder closed this in 40f3504 Oct 18, 2022
@bagder bagder deleted the bagder/CURLOPT_AUTOREFERER.3-privacy branch October 18, 2022 14:04
@vszakats vszakats mentioned this pull request Oct 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
documentation hacktoberfest-accepted libcurl API
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bagder @vszakats