Warning: using file:// on Windows with curl
Date: Mon, 16 Mar 2020 08:12:03 +0100 (CET)
Hi friends!
This is a general note and warning to users of curl and libcurl running on
Windows and using FILE:// transfers.
The Windows operating system will automatically, and without any way for
applications to disable it, try to establish a connection to another host over
the network and access it (over SMB or other protocols), if only the correct
file path is accessed.
When first realizing this, the curl team tried to filter out such attempts in
order to protect applications for inadvertent probes of for example internal
networks etc. This resulted in CVE-2019-15601 and the associated security fix.
However, we've since been made aware of the fact that the previous fix was far
from adequate as there are several other ways to accomplish more or less the
same thing: accessing a remote host over the network instead of the local file
system.
The conclusion we have come to is that this is a weakness or feature in the
Windows operating system itself, that we as an application cannot safely
protect users against. It would just be a whack-a-mole race we don't want to
participate in. There are too many ways to do it and there's no knob we can
use to turn off the practice.
If you use curl or libcurl on Windows (any version), disable the use of the
FILE protocol in curl or be prepared that accesses to a range of "magic paths"
will potentially make your system try to access other hosts on your
network. curl cannot protect you against this.
We have updated curl documentation on URLs and FILE:// accordingly.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/ ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2020-03-16