Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Feature suggestion to block Curl from connecting reserved and private IP addresses
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ayesh Karunaratne via curl-library <curl-library_at_lists.haxx.se>
Date: Tue, 14 Dec 2021 14:21:49 +0530
> > With the addition of CURLOPT_PREREQFUNCTION, one could write a callback
> > function to selectively block requests to certain IP/port ranges. This is
> > great, and I think it comes handy when trying to prevent SSRF
> > vulnerabilities by blocking the request if it directs to an IP address that
> > is reserved or private.
>
> Isn't the solution to this, and a remedy to many other attacks at the same
> time, rather to use a secure protocol? If you use a TLS or SSH based protocol,
> it doesn't matter if someone manages to trick curl to connect to the wrong
> address as it won't survive the handshake anyway!
>
Thanks a lot for the quick response.
You are right that the handshake would indeed fail under a secure
protocol, and Curl does a fantastic job at that.
My particular use case is an FTP and HTTP ingestion server where TV
reporters submit their videos, where they submit a URL, and the server
ingests it at a maximum speed configured internally. I couldn't think
of a way to prevent someone from simply submitting an internal
firewalled URL, because Curl would be allowed to fetch the files from
the private IP address anyway.
Using plain FTP is a bad idea from the get-go, I totally agree.
However, I thought a feature like this could be helpful to many users
as an additional precautionary measure for those who can't use a
protocol that validates the host name.
Thank you,
Ayesh.
Date: Tue, 14 Dec 2021 14:21:49 +0530
> > With the addition of CURLOPT_PREREQFUNCTION, one could write a callback
> > function to selectively block requests to certain IP/port ranges. This is
> > great, and I think it comes handy when trying to prevent SSRF
> > vulnerabilities by blocking the request if it directs to an IP address that
> > is reserved or private.
>
> Isn't the solution to this, and a remedy to many other attacks at the same
> time, rather to use a secure protocol? If you use a TLS or SSH based protocol,
> it doesn't matter if someone manages to trick curl to connect to the wrong
> address as it won't survive the handshake anyway!
>
Thanks a lot for the quick response.
You are right that the handshake would indeed fail under a secure
protocol, and Curl does a fantastic job at that.
My particular use case is an FTP and HTTP ingestion server where TV
reporters submit their videos, where they submit a URL, and the server
ingests it at a maximum speed configured internally. I couldn't think
of a way to prevent someone from simply submitting an internal
firewalled URL, because Curl would be allowed to fetch the files from
the private IP address anyway.
Using plain FTP is a bad idea from the get-go, I totally agree.
However, I thought a feature like this could be helpful to many users
as an additional precautionary measure for those who can't use a
protocol that validates the host name.
Thank you,
Ayesh.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-12-14