Re: Warning: using file:// on Windows with curl
Date: Mon, 16 Mar 2020 03:30:58 -0400
On Mon, Mar 16, 2020 at 3:19 AM Daniel Stenberg via curl-library
> This is a general note and warning to users of curl and libcurl running on
> Windows and using FILE:// transfers.
> The Windows operating system will automatically, and without any way for
> applications to disable it, try to establish a connection to another host over
> the network and access it (over SMB or other protocols), if only the correct
> file path is accessed.
> When first realizing this, the curl team tried to filter out such attempts in
> order to protect applications for inadvertent probes of for example internal
> networks etc. This resulted in CVE-2019-15601 and the associated security fix.
> The conclusion we have come to is that this is a weakness or feature in the
> Windows operating system itself, that we as an application cannot safely
> protect users against. It would just be a whack-a-mole race we don't want to
> participate in. There are too many ways to do it and there's no knob we can
> use to turn off the practice.
Yes, the feature is baked into the Windows network redirector. If it
is a bug, then it is a Microsoft redirector bug, not a cURL bug.
How did someone manage to get CVE-2019-15601 assigned to cURL for
this? More useless crap from snake oil firms?