Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: option to disallow IDN ?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Patrik Fältström via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 15 Dec 2022 10:28:51 +0100
On 15 Dec 2022, at 9:06, Daniel Stenberg via curl-library wrote:
> After my recent blog post "IDN is crazy" [1], a few people have requested a new option to curl that prevents it from accepting/using IDN. To reduce the risk of getting exploited by one of the many trickeries you can do with it.
>
> Thoughts?
>
> [1] = https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/
You did not even go into issues when you have bidirectionality...
<https://paftech.se/node/681/>
<https://paftech.se/node/682/>
<https://paftech.se/node/683/>
Now, the process for accepting Unicode Code Points have changed in the IETF, to the better I think, simply because of reasons you list in your blog.
The main issue I have as a reviewer is that we lack individuals (humans) that ar interested in doing recurring reviews like the one you did.
We could even in retrospect go and "ban" earlier approved code points to minimize the issues -- although we risk banning domain names that are in legitimate use.
Regarding curl and the command line interface, I think(!) I agree with you, that the command line should only accept A-Labels and not U-Labels, unless the user says one really know what one is doing.
That said, I think the confusability you can get (see my blog posts above) should be handled in the shell that should warn the user. This is not really a curl issue, but a command line issue.
Patrik
Received on 2022-12-15
Date: Thu, 15 Dec 2022 10:28:51 +0100
On 15 Dec 2022, at 9:06, Daniel Stenberg via curl-library wrote:
> After my recent blog post "IDN is crazy" [1], a few people have requested a new option to curl that prevents it from accepting/using IDN. To reduce the risk of getting exploited by one of the many trickeries you can do with it.
>
> Thoughts?
>
> [1] = https://daniel.haxx.se/blog/2022/12/14/idn-is-crazy/
You did not even go into issues when you have bidirectionality...
<https://paftech.se/node/681/>
<https://paftech.se/node/682/>
<https://paftech.se/node/683/>
Now, the process for accepting Unicode Code Points have changed in the IETF, to the better I think, simply because of reasons you list in your blog.
The main issue I have as a reviewer is that we lack individuals (humans) that ar interested in doing recurring reviews like the one you did.
We could even in retrospect go and "ban" earlier approved code points to minimize the issues -- although we risk banning domain names that are in legitimate use.
Regarding curl and the command line interface, I think(!) I agree with you, that the command line should only accept A-Labels and not U-Labels, unless the user says one really know what one is doing.
That said, I think the confusability you can get (see my blog posts above) should be handled in the shell that should warn the user. This is not really a curl issue, but a command line issue.
Patrik
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
- application/pgp-signature attachment: OpenPGP digital signature