curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Feature suggestion to block Curl from connecting reserved and private IP addresses

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 14 Dec 2021 09:22:38 +0100 (CET)

On Tue, 14 Dec 2021, Ayesh Karunaratne via curl-library wrote:

> With the addition of CURLOPT_PREREQFUNCTION, one could write a callback
> function to selectively block requests to certain IP/port ranges. This is
> great, and I think it comes handy when trying to prevent SSRF
> vulnerabilities by blocking the request if it directs to an IP address that
> is reserved or private.

Isn't the solution to this, and a remedy to many other attacks at the same
time, rather to use a secure protocol? If you use a TLS or SSH based protocol,
it doesn't matter if someone manages to trick curl to connect to the wrong
address as it won't survive the handshake anyway!

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Received on 2021-12-14

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]