curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: '--socks5-hostname' and 'CURL_DISABLE_PROXY'

From: Timothe Litt <litt_at_acm.org>
Date: Wed, 9 Mar 2022 08:31:03 -0500


On 09-Mar-22 03:32, Daniel Stenberg wrote:
> On Tue, 8 Mar 2022, Timothe Litt via curl-users wrote:
>
>>> +#if defined(CURL_DISABLE_PROXY)
>
>> I think it probably belongs in the library - not just the command
>> line "tool".  E.g. setting the corresponding CURLOPTs should fail
>> with a "not implemented" error;
>
> libcurl already does.
>
>> the tool can check for that error under "#ifdef CURL_DISABLE_PROXY"
>> and produce your helpful message. This will produce hard errors for
>> other users of the cURL library, which are many.
>
> It's slightly more complicated.
>
> In general the tool code should not check for things present or not in
> the library using build-time systems, since the library can be
> replaced at run-time without the tool being so.
>
> But there's more to it. I took some shortcuts a while ago when I added
> a few CI builds that build and run the test suite with disabled
> features, so I made the tool know about those features and avoid
> trying to set those options when the specific feature is disabled.
> This made it easier to verify that libcurl works correctly with
> disabled features, but it makes it slightly more complicated to make
> the tool error out when said features are used.
>
Fair enough.  The tool should always check for the error; that probably
makes the error message more generic.  The tool should not ignore
user-specified options.

Note that this use case illuminates a security issue - curl is not
connecting via the user-specified path.  For corporate proxies, this is
usually an annoyance - the connection fails to go thru the firewall or
it bypasses a caching server.  For this user's case, the connection is
going through the public internet instead of TOR (which hides the user's
identity and end points). In some countries, the result can be
prison...or worse.  Thus, to protect the user, it needs to be a hard error.

I won't argue the fine points of curl's implementation; you know them
better than anyone.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.


-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2022-03-09