libcurl-security.md - OpenGrok cross reference for /external/curl/docs/libcurl/libcurl-security.md

Lines Matching +full:- +full:- +full:disable +full:- +full:ftp
1 ---
3 SPDX-License-Identifier: curl
4 Title: libcurl-security
7 See-also:
8   - libcurl-thread (3)
10   - All
11 ---
12 <!-- markdown-link-check-disable -->
15 libcurl-security - security considerations when using libcurl
22 powerful library, however, which allows application writers to make trade-offs
44 line options. Write them to a protected file and use the -K option to avoid
65 clear text (HTTP Basic authentication, FTP, TELNET etc). It is easy for anyone
72 does not let snoopers see your password: Digest, CRAM-MD5, Kerberos, SPNEGO or
82 as long as the connection is unauthenticated. There can be a man-in-the-middle
105 redirects for security reasons: only HTTP, HTTPS, FTP and FTPS are
116 also at risk. A redirect such as **ftp://some-internal-server/private-file** would
121 or private-key protected resources,
122 e.g. **sftp://user@some-internal-server/etc/passwd**
129 E.g. **http://127.0.0.1/** or **http://intranet/delete-stuff.cgi?delete=all** or
130 **tftp://bootp-server/pc-config-data**
144 and CURLOPT_RANGE(3), libcurl sends the headers as-is and does not apply
155 server-side libcurl-using application could then use. E.g. the innocuous URL
163 non-redirected URLs, if the user is allowed to specify an arbitrary URL that
170 A malicious FTP server could in response to the PASV command return an IP
182 possible to exploit by an attacker who then perhaps can "port-scan" the
183 particular hosts - depending on how the application and servers acts.
188 based on numerical IPv4 addresses used in URLs. This is a bad and error-prone
190 specified and libcurl accepts: one to four dot-separated fields using one of
197 like 127.0.0.1 is not sufficient - the equivalent IPv6 addresses **::1**,
201 link-local and site-local that generally should not be accessed by a
202 server-side libcurl-using application. A poorly configured firewall installed
229 username and password being sent in clear text to an FTP server. Instead, use
238 **http://mail.example.com/delete-stuff.cgi?delete=all** Applications can
263 applications to disable it, to establish a connection to another host over the
269 networks etc. This resulted in CVE-2019-15601 and the associated security fix.
278 protect users against. It would just be a whack-a-mole race we do not want to
282 If you use curl or libcurl on Windows (any version), disable the use of the
293 If your curl-using script allow a custom URL do you also, perhaps
300 you thought, "ftp://" or "imap://" might be what the user gives your
301 application. Also, cross-protocol operations might be done by using a
303 on a non-standard port.
307 ## Use --proto
309 curl command lines can use *--proto* to limit what URL schemes it accepts
337 # FTP uses two connections
339 When performing an FTP transfer, two TCP connections are used: one for setting
342 FTP is not only unauthenticated, but the setting up of the second transfer is
349 man-in-the-middle or that there is a malicious server pretending to be the
352 A malicious FTP server can respond to PASV commands with the IP+PORT of a
355 Distributed Denial-Of-Service attack out of it. If the client makes an upload
362 to send an FTP PORT command to ask the server to connect to a third party host
365 The fact that FTP uses two connections makes it vulnerable in a way that is
368 # Active FTP passes on the local IP address
370 If you use curl/libcurl to do *active* FTP transfers, curl passes on the
371 address of your local IP to the remote server - even when for example using a
378 could effectively result in a denial-of-service attack. The
390 denial-of-service. This can be mitigated by using the
395 User-supplied data must be sanitized when used in options like
402 # Server-supplied Names
405 filename. The curl command-line tool does this with *--remote-header-name*,
406 using the Content-disposition: header to generate a filename. An application
408 server-supplied redirect URL. Special care must be taken to sanitize such
415 option to disable certificate validation. There are numerous attacks that are
431 security-related data. Besides the obvious candidates like usernames and
441 libcurl-using applications that set the 'setuid' bit to run with elevated or
467 libcurl to be used for upcoming transfers, those secrets are kept around as-is