libcurl-security.md - OpenGrok cross reference for /third_party/curl/docs/libcurl/libcurl-security.md

Lines Matching +full:windows +full:- +full:remote +full:- +full:only
1 ---
3 SPDX-License-Identifier: curl
4 Title: libcurl-security
7 See-also:
8   - libcurl-thread (3)
10   - All
11 ---
12 <!-- markdown-link-check-disable -->
15 libcurl-security - security considerations when using libcurl
22 powerful library, however, which allows application writers to make trade-offs
44 line options. Write them to a protected file and use the -K option to avoid
72 does not let snoopers see your password: Digest, CRAM-MD5, Kerberos, SPNEGO or
79 with any certainty know that they communicate with the right remote server.
82 as long as the connection is unauthenticated. There can be a man-in-the-middle
103 redirects sent by a remote server. These redirects can refer to any kind of
105 redirects for security reasons: only HTTP, HTTPS, FTP and FTPS are
116 also at risk. A redirect such as **ftp://some-internal-server/private-file** would
121 or private-key protected resources,
122 e.g. **sftp://user@some-internal-server/etc/passwd**
127 A redirect can also specify a location available only on the machine running
129 E.g. **http://127.0.0.1/** or **http://intranet/delete-stuff.cgi?delete=all** or
130 **tftp://bootp-server/pc-config-data**
144 and CURLOPT_RANGE(3), libcurl sends the headers as-is and does not apply
155 server-side libcurl-using application could then use. E.g. the innocuous URL
163 non-redirected URLs, if the user is allowed to specify an arbitrary URL that
182 possible to exploit by an attacker who then perhaps can "port-scan" the
183 particular hosts - depending on how the application and servers acts.
188 based on numerical IPv4 addresses used in URLs. This is a bad and error-prone
190 specified and libcurl accepts: one to four dot-separated fields using one of
197 like 127.0.0.1 is not sufficient - the equivalent IPv6 addresses **::1**,
201 link-local and site-local that generally should not be accessed by a
202 server-side libcurl-using application. A poorly configured firewall installed
206 addresses to IPv4 only and bypass these issues.
210 When uploading, a redirect can cause a local (or remote) file to be
238 **http://mail.example.com/delete-stuff.cgi?delete=all** Applications can
260 # Warning: file:// on Windows
262 The Windows operating system tries automatically, and without any way for
264 network and access it (over SMB or other protocols), if only the correct file
269 networks etc. This resulted in CVE-2019-15601 and the associated security fix.
273 same thing: accessing a remote host over the network instead of the local file
277 Windows operating system itself, that we as an application cannot safely
278 protect users against. It would just be a whack-a-mole race we do not want to
282 If you use curl or libcurl on Windows (any version), disable the use of the
293 If your curl-using script allow a custom URL do you also, perhaps
301 application. Also, cross-protocol operations might be done by using a
303 on a non-standard port.
307 ## Use --proto
309 curl command lines can use *--proto* to limit what URL schemes it accepts
318 only allow specific choices?
342 FTP is not only unauthenticated, but the setting up of the second transfer is
349 man-in-the-middle or that there is a malicious server pretending to be the
355 Distributed Denial-Of-Service attack out of it. If the client makes an upload
371 address of your local IP to the remote server - even when for example using a
378 could effectively result in a denial-of-service attack. The
390 denial-of-service. This can be mitigated by using the
395 User-supplied data must be sanitized when used in options like
402 # Server-supplied Names
405 filename. The curl command-line tool does this with *--remote-header-name*,
406 using the Content-disposition: header to generate a filename. An application
408 server-supplied redirect URL. Special care must be taken to sanitize such
431 security-related data. Besides the obvious candidates like usernames and
441 libcurl-using applications that set the 'setuid' bit to run with elevated or
443 should only be done after careful considerations.
462 only the trusted and reliable helper program is invoked!
467 libcurl to be used for upcoming transfers, those secrets are kept around as-is