mirror of
https://github.com/moparisthebest/curl
synced 2024-12-23 08:38:49 -05:00
docs: add warnings about FILE: URLs on Windows
- --url man page section - libcurl-security.3 gets the full text - CURLOPT_URL.3 Reported-by: Tim Sedlmeyer
This commit is contained in:
parent
fe8ba51209
commit
0845ecbb6d
@ -13,3 +13,6 @@ setting a default protocol, see --proto-default for details.
|
||||
|
||||
This option may be used any number of times. To control where this URL is
|
||||
written, use the --output or the --remote-name options.
|
||||
|
||||
Warning: On Windows, particular file:// accesses can be converted to network
|
||||
accesses by the operating system. Beware!
|
||||
|
@ -5,7 +5,7 @@
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
.\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
@ -217,6 +217,32 @@ avoid that, keep control of what URLs to use and/or prevent curl/libcurl from
|
||||
using the protocol.
|
||||
|
||||
By default, libcurl prohibits redirects to file:// URLs.
|
||||
|
||||
.SH "Warning: file:// on Windows"
|
||||
The Windows operating system will automatically, and without any way for
|
||||
applications to disable it, try to establish a connection to another host over
|
||||
the network and access it (over SMB or other protocols), if only the correct
|
||||
file path is accessed.
|
||||
|
||||
When first realizing this, the curl team tried to filter out such attempts in
|
||||
order to protect applications for inadvertent probes of for example internal
|
||||
networks etc. This resulted in CVE-2019-15601 and the associated security fix.
|
||||
|
||||
However, we've since been made aware of the fact that the previous fix was far
|
||||
from adequate as there are several other ways to accomplish more or less the
|
||||
same thing: accessing a remote host over the network instead of the local file
|
||||
system.
|
||||
|
||||
The conclusion we have come to is that this is a weakness or feature in the
|
||||
Windows operating system itself, that we as an application cannot safely
|
||||
protect users against. It would just be a whack-a-mole race we don't want to
|
||||
participate in. There are too many ways to do it and there's no knob we can
|
||||
use to turn off the practice.
|
||||
|
||||
If you use curl or libcurl on Windows (any version), disable the use of the
|
||||
FILE protocol in curl or be prepared that accesses to a range of "magic paths"
|
||||
will potentially make your system try to access other hosts on your
|
||||
network. curl cannot protect you against this.
|
||||
.SH "What if the user can set the URL"
|
||||
Applications may find it tempting to let users set the URL that it can work
|
||||
on. That's probably fine, but opens up for mischief and trickery that you as
|
||||
|
@ -5,7 +5,7 @@
|
||||
.\" * | (__| |_| | _ <| |___
|
||||
.\" * \___|\___/|_| \_\_____|
|
||||
.\" *
|
||||
.\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
.\" *
|
||||
.\" * This software is licensed as described in the file COPYING, which
|
||||
.\" * you should have received as part of this distribution. The terms
|
||||
@ -152,6 +152,10 @@ path.
|
||||
ftp://user:password@ftp.example.com//readme.txt - This retrieves the readme.txt
|
||||
from the root directory when logging in as a specified user.
|
||||
|
||||
.IP FILE
|
||||
When a FILE:// URL is accessed on Windows systems, it can be crafted in a way
|
||||
so that Windows attempts to connect to a (remote) machine when curl wants to
|
||||
read or write such a path.
|
||||
.IP SMTP
|
||||
The path part of a SMTP request specifies the host name to present during
|
||||
communication with the mail server. If the path is omitted then libcurl will
|
||||
|
Loading…
Reference in New Issue
Block a user