moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

Added section on server-supplied names to security considerations

This commit is contained in:
Dan Fandrich 2010-10-12 11:22:18 -07:00
parent 2d3c7b7e01
commit 2869b6ea2b
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/libcurl/libcurl-tutorial.3
View File

@ -1237,6 +1237,15 @@ are used to generate structured data. Characters like embedded carriage
returns or ampersands could allow the user to create additional headers or
fields that could cause malicious transactions.
.IP "Server-supplied Names"
A server can supply data which the application may, in some cases, use as
a file name. The curl command-line tool does this with --remote-header-name,
using the Content-disposition: header to generate a file name. An application
could also use CURLINFO_EFFECTIVE_URL to generate a file name from a
server-supplied redirect URL. Special care must be taken to sanitize such
names to avoid the possibility of a malicious server supplying one like
"/etc/passwd", "\autoexec.bat" or even ".bashrc".
.IP "Server Certificates"
A secure application should never use the CURLOPT_SSL_VERIFYPEER option to
disable certificate validation. There are numerous attacks that are enabled