curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Security implications of CURLOPT_UPLOAD + CURLOPT_FOLLOWLOCATION

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Sun, 3 May 2020 00:42:04 +0200 (CEST)

On Tue, 28 Apr 2020, Blake Burkhart via curl-library wrote:

> What are the security implications of enabling redirects during uploads? The
> security considerations page[1] says “When uploading, a redirect can cause a
> local (or remote) file to be overwritten.” and mentions
> CURLOPT_FOLLOWLOCATION, but as of Curl 7.19.4 it is no longer possible to
> HTTP redirect to local files with the FILE protocol.

It is still *possible*, it is just not enabled by default.

> Is the impact limited to overwriting an unexpected remote URL (on any
> allowed protocol)? Or if a URL is user specified, overwriting a local file?

Those are certainly two obvious risks, yes. I can't exclude that there are
others as well.

-- 
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-05-03

This message: [ Message body ]
Next message: Christian Schmitz via curl-library: "add idn for MacOS and iOS"
Previous message: Daniel Stenberg via curl-library: "Re: Presentation: The state of curl 2020"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]