cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl and http redirects; possible security implications

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 19 Apr 2010 14:51:07 +0200 (CEST)

On Mon, 19 Apr 2010, Alex Bligh wrote:

> Just trying to please everyone. My preference would be for "-" as it's the
> most logical given "+" and "=", notwithstanding the option confusion. Apart
> from that, I prefer ~ to ! on the basis of minimising shell escapes. If you
> are happy with using "-", I will delete the two case: statements for ~ and
> !.

I would prefer just '-'!

> Is there a better way to read the list of protocols and CURLPROTO_ constants
> from libcurl? And the default values for the two protocol masks?

No. They're not exposed through any API or anything but only exist as defines
in that header file. Besides, it wouldn't make a lot of sense for libcurl to
just have something that would export that list of protocols as I would say
MOST libcurl builds don't even support all of them and you don't want just the
list of supported protocols for this purpose. Possibly we could consider a way
for libcurl to provide this data but I'm not sure it's such a big deal.

Speaking of this, it struck me that you should probably allow the feature to
try to change protocols that it doesn't know about so that it is suitable
future-proof. I'm thinking about the case where a future curl introduces
support for the COFFEE protocol but somone dislikes it and use "--proto
-coffee", and then they copy that command line back to a 7.20.1 curl which
doesn't know about coffee at all.

Of course, a downside would be that a misspelled protocol isn't detected.
Perhaps it is enough if we use warnf() to inform about unknown protocols that
are mentioned?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-04-19