cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: "The Most Dangerous Code in the World"

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sun, 28 Oct 2012 18:13:14 +0100 (CET)

On Sun, 28 Oct 2012, Yehezkel Horowitz wrote:

>> I thus suggest we simply ban 1 as a value in an upcoming release. This will
>> fource users to use 2 instead and when copying such code back to older
>> libcurl-using code that will improve the code running there as well!
>
> You can't force users to use 2, since if they are not reading the documents,
> they might also ignore the return code (I'm not sure which mistake is worse
> ;-).

Correct. But since 2 is already the default, setting an illegal value and
ignoring the return code will make 2 remain set...

> I suggest turning on the bit 'data->set.ssl.verifyhost' in case we got '1'
> as argument (yet return the error code) to keep the code secure.

Yes, that's basically what happens with my suggested patch.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-28