curl / Mailing Lists / curl-library / Single Mail

curl-library

"URLs are dangerous things"

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 6 Feb 2018 08:24:41 +0100 (CET)

Hi friends,

Every now and then we get security problems reported to us that are really
just various types of attacks you can do if you can either A) modify the url
your curl application is using and/or B) have a server respond with a
perfectly fine protocol-wise but malicious response to curl.

Letting users freely set the URL, or parts of the URL, for your curl-using
application can get consequences.

I've started to document exactly what consequences and how:

https://gist.github.com/bagder/c22b31fab3bf9e21ff82f872bd5bd372#file-urls-in-curl-md

I'm interested in feedback and help in polishing it up to actually be helpful.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Received on 2018-02-06

This message: [ Message body ]
Next message: Christian Schmitz: "Re: "URLs are dangerous things""
Previous message: Alex Chen: "Re: Building libcurl 7.57 on Windows"
Next in thread: Christian Schmitz: "Re: "URLs are dangerous things""
Reply: Christian Schmitz: "Re: "URLs are dangerous things""
Reply: Dan Fandrich: "Re: "URLs are dangerous things""
Maybe reply: Pete Lomax: "Re: "URLs are dangerous things""

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]