cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl and http redirects; possible security implications

From: Lars Nilsson <chamaeleon_at_gmail.com>
Date: Sun, 18 Apr 2010 14:39:32 -0400

On Sun, Apr 18, 2010 at 2:21 PM, Alex Bligh <alex_at_alex.org.uk> wrote:
>> I would indeed accept such a patch.
>>
>> Bit I would prefer to see this feature limited to using onle two command
>> line options (we do have a very large amout already so keep it down
>> somewhat is a concern of mine). You could perhaps have --proto be able to
>> reverse the options, perhaps to say "--proto !http,ftp" to mean all
>> protocols except http and ftp, while --proto http,ftp would mean only
>> http and ftp. Also, we try to minimize how options need to be in a
>> particular order, and your --no-proto and --proto example above fails
>> that.
>
> Fair point.
>
> I think in the first example, --proto !http,!ftp (with extra !) should mean
> not http and ftp. My preference would be for these to set or clear bits
> from the default specified mask, which means you could add support for a
> protocol that is off by default without knowing all the protocols and
> the default values.
>
> So, e.g. --proto-redir !https would disallow a redirect to https (but leave
> the existing file: and scp: disabled), --proto-redir scp would enable scp
> (leaving the existing file disabled), and --proto-redir !all,http,https
> would disable everything except http and https for redirects.

As Unix shells (most if not all) use ! for special purposes, the
option value would have to be quoted (using single quotes) to prevent
an attempt to expand it to during command line parsing. Perhaps
something like ~ could be used instead (at least I don't think it
should be a problem despite being used to designate home directory for
some programs)? Just food for thought.

Lars Nilsson
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-04-18