1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 16:48:49 -05:00
Mentioned-By: Rich Moore
This commit is contained in:
Daniel Stenberg 2018-02-13 13:54:11 +01:00
parent 03b7b2e8fc
commit 1e720400aa
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -151,6 +151,11 @@ address and port number for a server local to the app running libcurl but
behind a firewall. Applications can mitigate against this by using the behind a firewall. Applications can mitigate against this by using the
\fICURLOPT_FTP_SKIP_PASV_IP(3)\fP option or \fICURLOPT_FTPPORT(3)\fP. \fICURLOPT_FTP_SKIP_PASV_IP(3)\fP option or \fICURLOPT_FTPPORT(3)\fP.
Local servers sometimes assume local access comes from friends and trusted
users. An application that expects http://example.com/file_to_read that and
instead gets http://192.168.0.1/my_router_config might print a file that would
otherwise be protected by the firewall.
Allowing your application to connect to local hosts, be it the same machine Allowing your application to connect to local hosts, be it the same machine
that runs the application or a machine on the same local network, might be that runs the application or a machine on the same local network, might be
possible to exploit by an attacker who then perhaps can "port-scan" the possible to exploit by an attacker who then perhaps can "port-scan" the
@ -303,7 +308,7 @@ enabled by applications that fail to properly validate server TLS/SSL
certificates, thus enabling a malicious server to spoof a legitimate certificates, thus enabling a malicious server to spoof a legitimate
one. HTTPS without validated certificates is potentially as insecure as a one. HTTPS without validated certificates is potentially as insecure as a
plain HTTP connection. plain HTTP connection.
.SH "Resport Security Problems" .SH "Report Security Problems"
Should you detect or just suspect a security problem in libcurl or curl, Should you detect or just suspect a security problem in libcurl or curl,
contact the project curl security team immediately. See the separate contact the project curl security team immediately. See the separate
SECURITY.md document for details. SECURITY.md document for details.