curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Feature suggestion to block Curl from connecting reserved and private IP addresses

From: Ayesh Karunaratne via curl-library <>
Date: Tue, 14 Dec 2021 14:21:49 +0530

> > With the addition of CURLOPT_PREREQFUNCTION, one could write a callback
> > function to selectively block requests to certain IP/port ranges. This is
> > great, and I think it comes handy when trying to prevent SSRF
> > vulnerabilities by blocking the request if it directs to an IP address that
> > is reserved or private.
> Isn't the solution to this, and a remedy to many other attacks at the same
> time, rather to use a secure protocol? If you use a TLS or SSH based protocol,
> it doesn't matter if someone manages to trick curl to connect to the wrong
> address as it won't survive the handshake anyway!

Thanks a lot for the quick response.

You are right that the handshake would indeed fail under a secure
protocol, and Curl does a fantastic job at that.

My particular use case is an FTP and HTTP ingestion server where TV
reporters submit their videos, where they submit a URL, and the server
ingests it at a maximum speed configured internally. I couldn't think
of a way to prevent someone from simply submitting an internal
firewalled URL, because Curl would be allowed to fetch the files from
the private IP address anyway.

Using plain FTP is a bad idea from the get-go, I totally agree.
However, I thought a feature like this could be helpful to many users
as an additional precautionary measure for those who can't use a
protocol that validates the host name.

Thank you,
Received on 2021-12-14