cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl and http redirects; possible security implications

From: Alex Bligh <alex_at_alex.org.uk>
Date: Mon, 19 Apr 2010 18:42:09 +0100

--On 19 April 2010 14:51:07 +0200 Daniel Stenberg <daniel_at_haxx.se> wrote:

>> Just trying to please everyone. My preference would be for "-" as it's
>> the most logical given "+" and "=", notwithstanding the option
>> confusion. Apart from that, I prefer ~ to ! on the basis of minimising
>> shell escapes. If you are happy with using "-", I will delete the two
>> case: statements for ~ and !.
>
> I would prefer just '-'!

OK, I will make that change (or you can - it's merely deleting
two lines).

> Speaking of this, it struck me that you should probably allow the feature
> to try to change protocols that it doesn't know about so that it is
> suitable future-proof. I'm thinking about the case where a future curl
> introduces support for the COFFEE protocol but somone dislikes it and use
> "--proto -coffee", and then they copy that command line back to a 7.20.1
> curl which doesn't know about coffee at all.
>
> Of course, a downside would be that a misspelled protocol isn't detected.
> Perhaps it is enough if we use warnf() to inform about unknown protocols
> that are mentioned?

How about I make '~' or something an additional prefix which ignored the
option if it wasn't recognised? IE you could do "--proto -~coffee" to
disable coffee support but ignore it if coffee was not understood. That's a
pretty trivial change. You then get proper error handling in the normal
case, but the person who wants to use a back-compatible command line
can do so without parsing the output of curl -V.

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-04-19