moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

Added section on server-supplied names to security considerations

This commit is contained in:
Dan Fandrich 2010-10-12 11:22:18 -07:00
parent 2d3c7b7e01
commit 2869b6ea2b
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/libcurl/libcurl-tutorial.3
View File

@ -1237,6 +1237,15 @@ are used to generate structured data. Characters like embedded carriage
returns or ampersands could allow the user to create additional headers or returns or ampersands could allow the user to create additional headers or
fields that could cause malicious transactions. fields that could cause malicious transactions.
.IP "Server-supplied Names"
A server can supply data which the application may, in some cases, use as
a file name. The curl command-line tool does this with --remote-header-name,
using the Content-disposition: header to generate a file name. An application
could also use CURLINFO_EFFECTIVE_URL to generate a file name from a
server-supplied redirect URL. Special care must be taken to sanitize such
names to avoid the possibility of a malicious server supplying one like
"/etc/passwd", "\autoexec.bat" or even ".bashrc".
.IP "Server Certificates" .IP "Server Certificates"
A secure application should never use the CURLOPT_SSL_VERIFYPEER option to A secure application should never use the CURLOPT_SSL_VERIFYPEER option to
disable certificate validation. There are numerous attacks that are enabled disable certificate validation. There are numerous attacks that are enabled