From 2869b6ea2b96e36873f5c59660f1870387cca390 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Tue, 12 Oct 2010 11:22:18 -0700 Subject: [PATCH] Added section on server-supplied names to security considerations --- docs/libcurl/libcurl-tutorial.3 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/libcurl/libcurl-tutorial.3 b/docs/libcurl/libcurl-tutorial.3 index 236eba056..72f002963 100644 --- a/docs/libcurl/libcurl-tutorial.3 +++ b/docs/libcurl/libcurl-tutorial.3 @@ -1237,6 +1237,15 @@ are used to generate structured data. Characters like embedded carriage returns or ampersands could allow the user to create additional headers or fields that could cause malicious transactions. +.IP "Server-supplied Names" +A server can supply data which the application may, in some cases, use as +a file name. The curl command-line tool does this with --remote-header-name, +using the Content-disposition: header to generate a file name. An application +could also use CURLINFO_EFFECTIVE_URL to generate a file name from a +server-supplied redirect URL. Special care must be taken to sanitize such +names to avoid the possibility of a malicious server supplying one like +"/etc/passwd", "\autoexec.bat" or even ".bashrc". + .IP "Server Certificates" A secure application should never use the CURLOPT_SSL_VERIFYPEER option to disable certificate validation. There are numerous attacks that are enabled