Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Feature proposal: deny protocol-specific flags when protocol mismatched
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: cyber security via curl-users <curl-users_at_lists.haxx.se>
Date: Fri, 15 Aug 2025 04:04:36 -0400
Thanks, I'll check it out.
On Fri, Aug 15, 2025 at 4:02 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Fri, 15 Aug 2025, cyber security via curl-users wrote:
>
> > └─$ curl https://httpbin.org --ftp-account "anonymous"
>
> That would suddenly make curl command lines across the world that have
> worked
> fine for decades suddenly return error instead of doing what they have
> been
> doing for a long time.
>
> What about this command line?
>
> curl https://httpbin.org --ftp-account "anonymous" ftp://ftp.funet.fi/
>
> Is that option right or wrong?
>
> It is also quite common for people writing scripts that would do:
>
> if [ condition ]
> URL="https://httpbin.org"
> else
> URL="ftp://ftp.funet.fi/"
> fi
>
> curl $URL --ftp-account "anonymous"
>
> Not to mention how users can put such an option in their .netrc now and
> have
> it used when it needs to and just not used when the protocol doesn't use
> it.
>
> > So in general this recommended reject invalid options and validate input
> > make curl more better and user friendly tool bad is ignore silently
>
> It doesn't exactly "ignore silently". It's just that it never gets used if
> the
> protocol doesn't use the thing the option controls.
>
> > and using this make also improve security
>
> How does it improve sucurity and for whom?
>
> > so i recommend secure coding
>
> In which way do we not already practice secure coding ?
>
> --
>
> / daniel.haxx.se || https://rock-solid.curl.dev
Date: Fri, 15 Aug 2025 04:04:36 -0400
Thanks, I'll check it out.
On Fri, Aug 15, 2025 at 4:02 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
> On Fri, 15 Aug 2025, cyber security via curl-users wrote:
>
> > └─$ curl https://httpbin.org --ftp-account "anonymous"
>
> That would suddenly make curl command lines across the world that have
> worked
> fine for decades suddenly return error instead of doing what they have
> been
> doing for a long time.
>
> What about this command line?
>
> curl https://httpbin.org --ftp-account "anonymous" ftp://ftp.funet.fi/
>
> Is that option right or wrong?
>
> It is also quite common for people writing scripts that would do:
>
> if [ condition ]
> URL="https://httpbin.org"
> else
> URL="ftp://ftp.funet.fi/"
> fi
>
> curl $URL --ftp-account "anonymous"
>
> Not to mention how users can put such an option in their .netrc now and
> have
> it used when it needs to and just not used when the protocol doesn't use
> it.
>
> > So in general this recommended reject invalid options and validate input
> > make curl more better and user friendly tool bad is ignore silently
>
> It doesn't exactly "ignore silently". It's just that it never gets used if
> the
> protocol doesn't use the thing the option controls.
>
> > and using this make also improve security
>
> How does it improve sucurity and for whom?
>
> > so i recommend secure coding
>
> In which way do we not already practice secure coding ?
>
> --
>
> / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-08-15