Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
--remote-header-name security?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Paul Gilmartin via curl-users <curl-users_at_lists.haxx.se>
Date: Sat, 8 Jan 2022 17:42:31 -0700
Man curl tells me:
-J, --remote-header-name
...
WARNING: Exercise judicious use of this option, especially on
Windows. A rogue server could send you the name of a DLL or
other file that could possibly be loaded automatically by Win-
dows or some third party software.
OK. Windows is Windows, and I don't put "." in my PATH. But might the"rogue
server" do, e.g.:
Content-Disposition: attachment; filename=/etc/passwd
or will curl download only to the current directory?
Also, what's a good way of testing for --remote-header-name? I'm thinking:
curl --remote-header-name --remote-name URL
if $?==23 then curl --output tempname URL
Thanks,
gil
Date: Sat, 8 Jan 2022 17:42:31 -0700
Man curl tells me:
-J, --remote-header-name
...
WARNING: Exercise judicious use of this option, especially on
Windows. A rogue server could send you the name of a DLL or
other file that could possibly be loaded automatically by Win-
dows or some third party software.
OK. Windows is Windows, and I don't put "." in my PATH. But might the"rogue
server" do, e.g.:
Content-Disposition: attachment; filename=/etc/passwd
or will curl download only to the current directory?
Also, what's a good way of testing for --remote-header-name? I'm thinking:
curl --remote-header-name --remote-name URL
if $?==23 then curl --output tempname URL
Thanks,
gil
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-01-09