cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl and http redirects; possible security implications

From: Alex Bligh <alex_at_alex.org.uk>
Date: Sun, 18 Apr 2010 19:21:16 +0100

Daniel,

> But my main question about your telnet remark was mostly that telnet has
> no way to automatically login with a password so unless the telnet server
> allows logins without password that won't do much. And in general, curl's
> telnet support is not too similar to how the other protocols work so I
> fail to see what harm such a redirect could cause even in the worst case.

Not that I've ever used it, but doesn't kerberized telnet do something
like that? I don't know whether curl uses a telnet library it can
guarantee is not kerberized. telnet is nothing special in particular,
I was just picking an example of an easy to use protocol that might
get something unexpected from an open port.

>> where protolist is a comma separated list of protocols and/or 'all',
>> and all options are evaluated left to right, starting with the
>> currently allowed protocols? So, e.g.
>> --no-proto all --proto http,https
>> would only allow http and https.
>
> I would indeed accept such a patch.
>
> Bit I would prefer to see this feature limited to using onle two command
> line options (we do have a very large amout already so keep it down
> somewhat is a concern of mine). You could perhaps have --proto be able to
> reverse the options, perhaps to say "--proto !http,ftp" to mean all
> protocols except http and ftp, while --proto http,ftp would mean only
> http and ftp. Also, we try to minimize how options need to be in a
> particular order, and your --no-proto and --proto example above fails
> that.

Fair point.

I think in the first example, --proto !http,!ftp (with extra !) should mean
not http and ftp. My preference would be for these to set or clear bits
from the default specified mask, which means you could add support for a
protocol that is off by default without knowing all the protocols and
the default values.

So, e.g. --proto-redir !https would disallow a redirect to https (but leave
the existing file: and scp: disabled), --proto-redir scp would enable scp
(leaving the existing file disabled), and --proto-redir !all,http,https
would disable everything except http and https for redirects.

So now ordering matters, but only with the option.

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-04-18