curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Idea: voluntary restricting curl (use)

From: James Fuller via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 14 Jan 2019 12:06:35 +0100

alternately instead of restriction we could warn people better with
just more log messages with a warning log level and maybe --warning
switch.

Jim Fuller

On Mon, 14 Jan 2019 at 11:31, Daniel Stenberg via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> On Mon, 14 Jan 2019, Mischa Salle via curl-library wrote:
>
> > Hmm, not sure this would add very much, but on the other hand could indeed
> > as Ray points out break things in unexpected ways and make life in general
> > more complicated.
>
> Sure, users who'd decide to restrict curl would probably get it "more
> complicated" in some ways but that's by choice and that also saves them from
> using applications/scripts in ways they don't approve of. A complication that
> brings benefits.
>
> If you don't care (which I assume most people won't), you don't set anything
> and then there's nothing extra!
>
> > If you want to add policies, I think you will be needing more than a simple
> > env variable, i.e. something like a config file.
>
> The problem with a config file is that it then becomes set for all curl
> invokes and not just the one from a specific shell, which an environment
> variable would do. I would also imagine that restricting curl like this would
> be something often done to test and experiment first and then you really don't
> want to affect any other scripts than the particular one you want to try out
> right now.
>
> Also suggested a environment variable because it is easy to play with from a
> user's stand-point.
>
> > In any case you need the cooperation of the script/program calling
> > curl as it would be trivial to circumvent (declare -r doesn't help).
>
> Why would a script/application author actively work against this? I don't
> understand what motivations such developers would have. I mean the typical
> well-meaning ones, not the rare malicious or misinformed developers who I of
> course acknowledge exist but I think is a very small minority.
>
> A developer who wants a script or program to run and use an insecure protocol
> for example, they do that for a reason as they perhaps only have access to a
> service over that protocol. Why would they try to trick their users into
> believing they're not using those insecure protocols?
>
> Maybe I'm just too much of an optimist! =)
>
> --
>
> / daniel.haxx.se
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-14