Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: How to handle CA certificate bundles in portable application bundles (e.g., AppImages)?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dan Fandrich via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 19 May 2022 09:13:14 -0700
On Thu, May 19, 2022 at 12:23:03PM +0200, TheAssassin via curl-library wrote:
> I don't see why a user would add that path. If a user would compile libcurl
> with /etc/motd as the main CA certificate bundle path at the moment,
> unexpected behavior will occur as well. It is the job of the developer who
> generates the libcurl binary to provide proper paths.
I'm just using that as an example. /tmp/something would be even worse example.
The developer is definitely responsible for choosing something sane.
> Whether you support one bundle or multiple bundles doesn't make a big
> difference. The proposed paths are all in read-only, root-writable
> locations, as per the FHS. Only distributions which ignore this standard
> could maybe be affected by such an issue. But then again, the existing
> single CA bundle path may be writable as well.
Using it in the way you describe should be fine. I'm just thinking about ways a
naive developer could misuse the feature.
Dan
Date: Thu, 19 May 2022 09:13:14 -0700
On Thu, May 19, 2022 at 12:23:03PM +0200, TheAssassin via curl-library wrote:
> I don't see why a user would add that path. If a user would compile libcurl
> with /etc/motd as the main CA certificate bundle path at the moment,
> unexpected behavior will occur as well. It is the job of the developer who
> generates the libcurl binary to provide proper paths.
I'm just using that as an example. /tmp/something would be even worse example.
The developer is definitely responsible for choosing something sane.
> Whether you support one bundle or multiple bundles doesn't make a big
> difference. The proposed paths are all in read-only, root-writable
> locations, as per the FHS. Only distributions which ignore this standard
> could maybe be affected by such an issue. But then again, the existing
> single CA bundle path may be writable as well.
Using it in the way you describe should be fine. I'm just thinking about ways a
naive developer could misuse the feature.
Dan
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-05-19