mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
headers and security blurb added
This commit is contained in:
parent
5f758fbd11
commit
94da04fcac
@ -413,8 +413,8 @@ HTTP POSTing
|
||||
The following example sets two simple text parts with plain textual contents,
|
||||
and then a file with binary contents and upload the whole thing.
|
||||
|
||||
struct HttpPost *post=NULL;
|
||||
struct HttpPost *last=NULL;
|
||||
struct curl_httppost *post=NULL;
|
||||
struct curl_httppost *last=NULL;
|
||||
curl_formadd(&post, &last,
|
||||
CURLFORM_COPYNAME, "name",
|
||||
CURLFORM_COPYCONTENTS, "daniel", CURLFORM_END);
|
||||
@ -871,7 +871,25 @@ Cookies Without Chocolate Chips
|
||||
|
||||
Headers Equal Fun
|
||||
|
||||
[ use the header callback for HTTP, FTP etc ]
|
||||
Some protocols provide "headers", meta-data separated from the normal
|
||||
data. These headers are by default not included in the normal data stream,
|
||||
but you can make them appear in the data stream by setting CURLOPT_HEADER to
|
||||
TRUE.
|
||||
|
||||
What might be even more useful, is libcurl's ability to separate the headers
|
||||
from the data and thus make the callbacks differ. You can for example set a
|
||||
different pointer to pass to the ordinary write callback by setting
|
||||
CURLOPT_WRITEHEADER.
|
||||
|
||||
Or, you can set an entirely separate function to receive the headers, by
|
||||
using CURLOPT_HEADERFUNCTION.
|
||||
|
||||
The headers are passed to the callback function one by one, and you can
|
||||
depend on that fact. It makes it easier for you to add custom header parsers
|
||||
etc.
|
||||
|
||||
"Headers" for FTP transfers equal all the FTP server responses. They aren't
|
||||
actually true headers, but in this case we pretend they are! ;-)
|
||||
|
||||
|
||||
Post Transfer Information
|
||||
@ -881,7 +899,61 @@ Post Transfer Information
|
||||
|
||||
Security Considerations
|
||||
|
||||
[ ps output, netrc plain text, plain text protocols / base64 ]
|
||||
libcurl is in itself not insecure. If used the right way, you can use libcurl
|
||||
to transfer data pretty safely.
|
||||
|
||||
There are of course many things to consider that may loosen up this
|
||||
situation:
|
||||
|
||||
Command Lines
|
||||
|
||||
If you use a command line tool (such as curl) that uses libcurl, and you
|
||||
give option to the tool on the command line those options can very likely
|
||||
get read by other users of your system when they use 'ps' or other tools
|
||||
to list currently running processes.
|
||||
|
||||
To avoid this problem, never feed sensitive things to programs using
|
||||
command line options.
|
||||
|
||||
.netrc
|
||||
|
||||
.netrc is a pretty handy file/feature that allows you to login quickly and
|
||||
automaticly to frequently visited sites. The file contains passwords in
|
||||
clear text and is a real security risk. In some cases, your .netrc is also
|
||||
stored in a home directory that is NFS mounter or used on another network
|
||||
based file system, so the clear text password will fly through your
|
||||
network every time anyone reads that file!
|
||||
|
||||
To avoid this problem, don't use .netrc files and never store passwords as
|
||||
plain text anywhere.
|
||||
|
||||
Clear Text Passwords
|
||||
|
||||
Many of the protocols libcurl supports send name and password unencrypted
|
||||
as clear text (HTTP Basic authentication, FTP, TELNET etc). It is very
|
||||
easy for anyone on your network or a network nearby yours, to just fire up
|
||||
a network analyzer tool and evesdrop on your passwords. Don't let the fact
|
||||
that HTTP uses base64 encoded passwords fool you. They may not look
|
||||
readable at a first glance, but they very easily "deciphered" by anyone
|
||||
within seconds.
|
||||
|
||||
To avoid this problem, use protocols that don't let snoopers see your
|
||||
password: HTTPS, FTPS and FTP-kerberos are a few examples. HTTP Digest
|
||||
authentication allows this too, but isn't supported by libcurl as of this
|
||||
writing.
|
||||
|
||||
Showing What You Do
|
||||
|
||||
On a related issue, be aware that even in situations like when you have
|
||||
problems with libcurl and ask somone for help, everything you reveal in
|
||||
order to get best possible help might also impose certain security related
|
||||
risks. Host names, user names, paths, operating system specifics etc (not
|
||||
to mention passwords of course) may in fact be used by intruders to gain
|
||||
additional information of a potential target.
|
||||
|
||||
To avoid this problem, you must of course use your common sense. Often,
|
||||
you can just edit out the senstive data or just rearch/replace your true
|
||||
information with faked data.
|
||||
|
||||
|
||||
SSL, Certificates and Other Tricks
|
||||
|
Loading…
Reference in New Issue
Block a user