curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Idea: voluntary restricting curl (use)

From: bch via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 10 Jan 2019 14:56:26 -0800

On Thu, Jan 10, 2019 at 2:30 PM Daniel Stenberg via curl-library <
curl-library_at_cool.haxx.se> wrote:

> Hey,
>
> I want to test an idea on you all before I proceed and do anything else
> with
> it. I need your input, your critique and perhaps your suggestions on how
> to
> make into an awesome idea.
>
> The problem
>
> You - as a user - run programs and scripts that themselves use libcurl or
> just the command line curl, in ways that you don't approve of. Even if
> the
> program or script was written to do use that feature.
>
> The solution
>
> The all new `CURL_INHIBIT` environment variable, that is parsed by
> libcurl
> and can be used to make libcurl avoid certain behaviors.
>
> Using this, you can voluntary raise the bar for what's accepted, to
> prevent
> scripts and programs from for example using insecure protocols etc.
>
> The variable should contain a comma-separated list of named
> restrictions. The
> restrictions available are listed below, but other ones may be added in
> later
> libcurl versions (and older may be removed). Unknown or just misspelled
> restrictions will be silently ignored.
>
> Restrictions should be named to identify what is *inhibited* by it.
>

I’m only parking this all quickly, but:

Consider

1) having a diagnostic-requesting env var that perhaps dumps state of what
cURL was trying to do

2) whitelisting *allowances* instead of blacklisting denials

-bch

> The general idea here is that applications and scripts using curl can't
> change or work around restrictions set in this variable!
>
> Restrictions
>
> Here are three that I immediately came to think of. I'd be interested in
> adding others to the list if you can think of some!
>
> 'clear-text'
>
> When set, this will make libcurl avoid downloads over clear-text
> connections.
> The transfer MUST be encrypted or trigger an error (`CURLE_INIHIBITED`).
>
> 'user-in-url'
>
> When set, this is the equivalent of the application setting the
> `CURLOPT_DISALLOW_USERNAME_IN_URL` option. It will prevent libcurl from
> accepting URLs with embedded user names.
>
> 'insecure-https'
>
> When set, this will make transfers that are attempted with server
> certificate
> validation disabled to fail.
>
> Anything you think you would ever use and appreciate?
>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-10