cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Too revealing user-agent field?

From: Song Ma <songmash_at_gmail.com>
Date: Wed, 13 Jun 2007 11:11:00 +0800

2007/6/12, Daniel Stenberg <daniel_at_haxx.se>:
>
> Is it?
>
> At least one FreeBSD user seems to think so:
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=112555
>
> Any opinions on this here?
>
> --
> Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
>

The FreeBSD patch is reasonable because cURL connection exposes much system
libraries' information to remote site. Some of these libraries like OpenSSL
is vital for web application security. If the remote site detects the local
machine is not with the latest patch on these libraires, the local machine
could be the victim of attack.

By taking firefox on Linux as the example, its user-agent field exposed to
remote only contains:
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; zh-CN; rv:1.8.1.4)
Gecko/20070515 Firefox/2.0.0.4\r\n"
Received on 2007-06-13

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Too revealing user-agent field?"
Previous message: Doug McNutt: "Re: Too revealing user-agent field?"
In reply to: Daniel Stenberg: "Too revealing user-agent field?"
Next in thread: Daniel Stenberg: "Re: Too revealing user-agent field?"
Reply: Daniel Stenberg: "Re: Too revealing user-agent field?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]