1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-24 09:08:49 -05:00

libcurl-security.3: improved layout for two rememdy lists

This commit is contained in:
Daniel Stenberg 2018-05-31 11:19:05 +02:00
parent 5f07fca8f7
commit 71d35e4a1d
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -88,9 +88,11 @@ have been injected by an attacker. The data that curl sends might be modified
before it reaches the intended server. If it even reaches the intended server before it reaches the intended server. If it even reaches the intended server
at all. at all.
Remedies include: Remedies:
- Restrict operations to authenticated transfers .IP "Restrict operations to authenticated transfers"
- Make sure the server's certificate etc is verified Ie use authenticated protocols protected with HTTPS or SSH.
.IP "Make sure the server's certificate etc is verified"
Never ever switch off certificate verification.
.SH "Redirects" .SH "Redirects"
The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP
redirects sent by a remote server. These redirects can refer to any kind of redirects sent by a remote server. These redirects can refer to any kind of
@ -233,11 +235,13 @@ particular scheme in the URL but point to a server doing a different protocol
on a non-standard port. on a non-standard port.
Remedies: Remedies:
.IP "Use --proto"
- curl command lines can use \fI--proto\fP to limit what schemes it accepts curl command lines can use \fI--proto\fP to limit what URL schemes it accepts
- libcurl programs can use \fICURLOPT_PROTOCOLS(3)\fP .IP "Use CURLOPT_PROTOCOLS"
- consider not allowing the user to set the full URL libcurl programs can use \fICURLOPT_PROTOCOLS(3)\fP to limit what URL schemes it accepts
- consider strictly filtering input to only allow specific choices .IP "consider not allowing the user to set the full URL"
Maybe just let the user provide data for parts of it? Or maybe filter input to
only allow specific choices?
.SH "RFC 3986 vs WHATWG URL" .SH "RFC 3986 vs WHATWG URL"
curl supports URLs mostly according to how they are defined in RFC 3986, and curl supports URLs mostly according to how they are defined in RFC 3986, and
has done so since the beginning. has done so since the beginning.