curl-library
Re: Idea: voluntary restricting curl (use)
Date: Thu, 10 Jan 2019 15:22:33 -0800
On Thu, Jan 10, 2019 at 2:56 PM bch <brad.harder_at_gmail.com> wrote:
>
>
> On Thu, Jan 10, 2019 at 2:30 PM Daniel Stenberg via curl-library <
> curl-library_at_cool.haxx.se> wrote:
>
>> Hey,
>>
>> I want to test an idea on you all before I proceed and do anything else
>> with
>> it. I need your input, your critique and perhaps your suggestions on how
>> to
>> make into an awesome idea.
>>
>> The problem
>>
>> You - as a user - run programs and scripts that themselves use libcurl
>> or
>> just the command line curl, in ways that you don't approve of. Even if
>> the
>> program or script was written to do use that feature.
>>
>> The solution
>>
>> The all new `CURL_INHIBIT` environment variable, that is parsed by
>> libcurl
>> and can be used to make libcurl avoid certain behaviors.
>>
>> Using this, you can voluntary raise the bar for what's accepted, to
>> prevent
>> scripts and programs from for example using insecure protocols etc.
>>
>> The variable should contain a comma-separated list of named
>> restrictions. The
>> restrictions available are listed below, but other ones may be added in
>> later
>> libcurl versions (and older may be removed). Unknown or just misspelled
>> restrictions will be silently ignored.
>>
>> Restrictions should be named to identify what is *inhibited* by it.
>>
>
>
> I’m only parking this all quickly, but:
>
*parsing this all quickly...
> Consider
>
> 1) having a diagnostic-requesting env var that perhaps dumps state of what
> cURL was trying to do
>
> 2) whitelisting *allowances* instead of blacklisting denials
>
> -bch
>
>
>
>> The general idea here is that applications and scripts using curl can't
>> change or work around restrictions set in this variable!
>>
>> Restrictions
>>
>> Here are three that I immediately came to think of. I'd be interested in
>> adding others to the list if you can think of some!
>>
>> 'clear-text'
>>
>> When set, this will make libcurl avoid downloads over clear-text
>> connections.
>> The transfer MUST be encrypted or trigger an error (`CURLE_INIHIBITED`).
>>
>> 'user-in-url'
>>
>> When set, this is the equivalent of the application setting the
>> `CURLOPT_DISALLOW_USERNAME_IN_URL` option. It will prevent libcurl from
>> accepting URLs with embedded user names.
>>
>> 'insecure-https'
>>
>> When set, this will make transfers that are attempted with server
>> certificate
>> validation disabled to fail.
>>
>> Anything you think you would ever use and appreciate?
>>
>> --
>>
>> / daniel.haxx.se
>> -------------------------------------------------------------------
>> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: https://curl.haxx.se/mail/etiquette.html
>
>
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-11