curl-library
RE: "The Most Dangerous Code in the World"
Date: Sun, 28 Oct 2012 18:13:14 +0100 (CET)
On Sun, 28 Oct 2012, Yehezkel Horowitz wrote:
>> I thus suggest we simply ban 1 as a value in an upcoming release. This will
>> fource users to use 2 instead and when copying such code back to older
>> libcurl-using code that will improve the code running there as well!
>
> You can't force users to use 2, since if they are not reading the documents,
> they might also ignore the return code (I'm not sure which mistake is worse
> ;-).
Correct. But since 2 is already the default, setting an illegal value and
ignoring the return code will make 2 remain set...
> I suggest turning on the bit 'data->set.ssl.verifyhost' in case we got '1'
> as argument (yet return the error code) to keep the code secure.
Yes, that's basically what happens with my suggested patch.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2012-10-28