moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

libcurl-security.3: separate file:// section 

... just to make it more apparent. Even if it repeats
some pieces of information.
This commit is contained in:
Daniel Stenberg 2018-02-13 14:04:04 +01:00
parent 1e720400aa
commit 63f6b3b220
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/libcurl/libcurl-security.3
View File

@ -208,6 +208,13 @@ of how the SCP protocol is designed. e.g.
Applications must not allow unsanitized SCP: URLs to be passed in for
downloads.
.SH "file://"
By default curl and libcurl support file:// URLs. Such a URL is always an
access, or attempted access, to a local resource. If your application wants to
avoid that, keep control of what URLs to use and/or prevent curl/libcurl from
using the protocol.
By default, libcurl prohibits redirects to file:// URLs.
.SH "What if the user can set the URL"
Applications may find it tempting to let users set the URL that it can work
on. That's probably fine, but opens up for mischief and trickery that you as