Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Feature proposal: deny protocol-specific flags when protocol mismatched
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Fri, 15 Aug 2025 10:02:00 +0200 (CEST)
On Fri, 15 Aug 2025, cyber security via curl-users wrote:
> └─$ curl https://httpbin.org --ftp-account "anonymous"
That would suddenly make curl command lines across the world that have worked
fine for decades suddenly return error instead of doing what they have been
doing for a long time.
What about this command line?
curl https://httpbin.org --ftp-account "anonymous" ftp://ftp.funet.fi/
Is that option right or wrong?
It is also quite common for people writing scripts that would do:
if [ condition ]
URL="https://httpbin.org"
else
URL="ftp://ftp.funet.fi/"
fi
curl $URL --ftp-account "anonymous"
Not to mention how users can put such an option in their .netrc now and have
it used when it needs to and just not used when the protocol doesn't use it.
> So in general this recommended reject invalid options and validate input
> make curl more better and user friendly tool bad is ignore silently
It doesn't exactly "ignore silently". It's just that it never gets used if the
protocol doesn't use the thing the option controls.
> and using this make also improve security
How does it improve sucurity and for whom?
> so i recommend secure coding
In which way do we not already practice secure coding ?
Date: Fri, 15 Aug 2025 10:02:00 +0200 (CEST)
On Fri, 15 Aug 2025, cyber security via curl-users wrote:
> └─$ curl https://httpbin.org --ftp-account "anonymous"
That would suddenly make curl command lines across the world that have worked
fine for decades suddenly return error instead of doing what they have been
doing for a long time.
What about this command line?
curl https://httpbin.org --ftp-account "anonymous" ftp://ftp.funet.fi/
Is that option right or wrong?
It is also quite common for people writing scripts that would do:
if [ condition ]
URL="https://httpbin.org"
else
URL="ftp://ftp.funet.fi/"
fi
curl $URL --ftp-account "anonymous"
Not to mention how users can put such an option in their .netrc now and have
it used when it needs to and just not used when the protocol doesn't use it.
> So in general this recommended reject invalid options and validate input
> make curl more better and user friendly tool bad is ignore silently
It doesn't exactly "ignore silently". It's just that it never gets used if the
protocol doesn't use the thing the option controls.
> and using this make also improve security
How does it improve sucurity and for whom?
> so i recommend secure coding
In which way do we not already practice secure coding ?
-- / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-08-15