moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 06:25:03 -05:00
Code Issues Releases Wiki Activity

libcurl-security.3: mention the URL standards problems too

Browse Source
This commit is contained in:
Daniel Stenberg 2018-02-13 12:05:43 +01:00
parent 3901842055
commit 03b7b2e8fc
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/libcurl/libcurl-security.3
View File

@ -226,6 +226,16 @@ Remedies:
- libcurl programs can use \fICURLOPT_PROTOCOLS(3)\fP
- consider not allowing the user to set the full URL
- consider strictly filtering input to only allow specific choices
.SH "RFC 3986 vs WHATWG URL"
curl supports URLs mostly according to how they are defined in RFC 3986, and
has done so since the beginning.
Web browsers mostly adhere to the WHATWG URL Specification.
This deviance makes some URLs copied between browsers (or returned over HTTP
for redirection) and curl not work the same way. This can mislead users into
getting the wrong thing, connecting to the wrong host or otherwise not work
identically.
.SH "FTP uses two connections"
When performing an FTP transfer, two TCP connections are used: one for setting
up the transfer and one for the actual data.