cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl and http redirects; possible security implications

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 24 Apr 2010 11:13:39 +0200 (CEST)

On Wed, 21 Apr 2010, Alex Bligh wrote:

>>> How about I make '~' or something an additional prefix which ignored the
>>> option if it wasn't recognised?
>>
>> I would not like that.

> My worry is that people will log stderr in any sensibly written script, and
> thus the next thing they will ask for is a switch to silence the log. If we
> give them that, we might as well give them a switch to turn the check off.

I firmly believe we should do it either way and not both. Ie we either allow
misspelled/upcoming protocol names or we bail out on them.

And I favour the first approach (allow unknowns) since it'll make command
lines survive better between systems. I mean, if we will allow "-sftp" for
curl commands that don't even CAN do sftp today (when they're built without
that support) but won't accept "-rtmp" simply because there's no libcurl done
yet that supports rtmp? That's a very strange distinction to me and my guess
is it will also be strange to users.

And besides, we do this warnf() thing on a lot of other similar commands
already (like --ftp-method and --ftp-ssl-ccc-mode). Users who redirect stderr
does that on purpose to NOT see helpful error messages so of course they will
not see error messages that may concern them.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-04-24