Re: Warning: using file:// on Windows with curl

On Mon, Mar 16, 2020 at 3:19 AM Daniel Stenberg via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> This is a general note and warning to users of curl and libcurl running on
> Windows and using FILE:// transfers.
>
> The Windows operating system will automatically, and without any way for
> applications to disable it, try to establish a connection to another host over
> the network and access it (over SMB or other protocols), if only the correct
> file path is accessed.
>
> When first realizing this, the curl team tried to filter out such attempts in
> order to protect applications for inadvertent probes of for example internal
> networks etc. This resulted in CVE-2019-15601 and the associated security fix.
> ...
> The conclusion we have come to is that this is a weakness or feature in the
> Windows operating system itself, that we as an application cannot safely
> protect users against. It would just be a whack-a-mole race we don't want to
> participate in. There are too many ways to do it and there's no knob we can
> use to turn off the practice.

Yes, the feature is baked into the Windows network redirector. If it
is a bug, then it is a Microsoft redirector bug, not a cURL bug.

How did someone manage to get CVE-2019-15601 assigned to cURL for
this? More useless crap from snake oil firms?

Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-03-16