Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Feature suggestion to block Curl from connecting reserved and private IP addresses
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ayesh Karunaratne via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 14 Dec 2021 13:29:11 +0530
It's my first time mailing this list, and thanks a lot for the immense
efforts and impact Curl had made in all of our lives and software!
With the addition of CURLOPT_PREREQFUNCTION, one could write a
callback function to selectively block requests to certain IP/port
ranges. This is great, and I think it comes handy when trying to
prevent SSRF vulnerabilities by blocking the request if it directs to
an IP address that is reserved or private.
As far as I'm aware, there is no configuration option that would
prevent Curl from connecting to these IP addresses (apart from
selectively blocking with CURLOPT_PREREQFUNCTION), and it is not
possible to effectively prevent server-side request forgery attacks by
preliminarily checking the destination IP address because the attacker
can send a public IP address first, and the private IP address just
for Curl (effectively DNS rebinding).
I would like to request a feature that can be used to request Curl to
abort the connection if it attempts to connect to a private or
reserved IP address. For example, a CURLOPT_BLOCK_PRIVATE_IP and
CURLOPT_BLOCK_RESERVED_IP pair that accepts a true/false value, and
blocks IPv4 and IPv6 private/reserved IP ranges. This is effectively
writing a CURLOPT_PREREQFUNCTION callback that does this in userland
code, but made easier by Curl itself. I understand that these toggles
might be redundant because one could write any selective blocking
pattern with CURLOPT_PREREQFUNCTION, but I'm really seeing these
options making things a lot easier for the layman.
Thank you,
Ayesh.
Date: Tue, 14 Dec 2021 13:29:11 +0530
It's my first time mailing this list, and thanks a lot for the immense
efforts and impact Curl had made in all of our lives and software!
With the addition of CURLOPT_PREREQFUNCTION, one could write a
callback function to selectively block requests to certain IP/port
ranges. This is great, and I think it comes handy when trying to
prevent SSRF vulnerabilities by blocking the request if it directs to
an IP address that is reserved or private.
As far as I'm aware, there is no configuration option that would
prevent Curl from connecting to these IP addresses (apart from
selectively blocking with CURLOPT_PREREQFUNCTION), and it is not
possible to effectively prevent server-side request forgery attacks by
preliminarily checking the destination IP address because the attacker
can send a public IP address first, and the private IP address just
for Curl (effectively DNS rebinding).
I would like to request a feature that can be used to request Curl to
abort the connection if it attempts to connect to a private or
reserved IP address. For example, a CURLOPT_BLOCK_PRIVATE_IP and
CURLOPT_BLOCK_RESERVED_IP pair that accepts a true/false value, and
blocks IPv4 and IPv6 private/reserved IP ranges. This is effectively
writing a CURLOPT_PREREQFUNCTION callback that does this in userland
code, but made easier by Curl itself. I understand that these toggles
might be redundant because one could write any selective blocking
pattern with CURLOPT_PREREQFUNCTION, but I'm really seeing these
options making things a lot easier for the layman.
Thank you,
Ayesh.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-12-14