curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: "URLs are dangerous things"

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 6 Feb 2018 13:47:50 +0100 (CET)

On Tue, 6 Feb 2018, Christian Schmitz wrote:

> Can we disallow login & password in URLs? e.g. get an option to make perform
> fail with error, if there is a @ in the URL before domain?

That seems like it should be a pretty straight forward thing to add, sure!

But in the context of "dangerous things", how do see the user + password in
the URL used to harm the application or the server?

> And the Use SSL options being 3 would it fail with http:// URL?

CURLOPT_PROTOCOLS is the option to enable/disable specific protocols. There's
no generic "disable all non-authenticated protocols" option.

Of course, an interesting idea is to let CURLOPT_USE_SSL affect *all*
protocols so that you can require TLS/SSL to be used with that option even for
HTTP(S). But that's not how that option works right now...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-02-06