cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl and http redirects; possible security implications

From: Alex Bligh <alex_at_alex.org.uk>
Date: Sat, 17 Apr 2010 22:44:10 +0100

--On 17 April 2010 23:13:49 +0200 Daniel Stenberg <daniel_at_haxx.se> wrote:

>> I would have thought that redirection to file: URLs should be prohibited
>> anyway.
>
> They are prohibited by default since 7.19.4. See
> http://curl.haxx.se/docs/adv_20090303.html

Perfect, thanks. Reading the patch I see telnet urls (interalia) are not
disabled. Given these can in theory specify a port address (per RFC1738)
telnet://<user>:<password>@<host>:<port>/
is there some environment variable or similar I can set to restrict
curl protocols (or redirect protocols) with the curl binary (this appears
to be CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS in libcurl)

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2010-04-17

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: curl and http redirects; possible security implications"
Previous message: Daniel Stenberg: "Re: curl and http redirects; possible security implications"
In reply to: Daniel Stenberg: "Re: curl and http redirects; possible security implications"
Next in thread: Daniel Stenberg: "Re: curl and http redirects; possible security implications"
Reply: Daniel Stenberg: "Re: curl and http redirects; possible security implications"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]