From 7fdf01f32e8b1f0f89ea7d1086df04749dea415b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 23 Apr 2021 16:32:19 +0200 Subject: [PATCH] libcurl-security.3: don't try to filter IPv4 hosts based on the URL Closes #6942 --- docs/libcurl/libcurl-security.3 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3 index 705e2c7ef..b4907ac22 100644 --- a/docs/libcurl/libcurl-security.3 +++ b/docs/libcurl/libcurl-security.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. +.\" * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -162,6 +162,12 @@ Allowing your application to connect to local hosts, be it the same machine that runs the application or a machine on the same local network, might be possible to exploit by an attacker who then perhaps can "port-scan" the particular hosts - depending on how the application and servers acts. +.SH "IPv4 Addresses" +Some users might be tempted to filter access to local resources or similar +based on numerical IPv4 addresses used in URLs. This is a bad and error-prone +idea because of the many different ways a numerical IPv4 address can be +specified and libcurl accepts: one to four dot-separated fields using one of +or a mix of decimal, octal or hexadecimal encoding. .SH "IPv6 Addresses" libcurl will normally handle IPv6 addresses transparently and just as easily as IPv4 addresses. That means that a sanitizing function that filters out