libcurl-security.md - OpenGrok cross reference for /external/curl/docs/libcurl/libcurl-security.md

Lines Matching +full:basic +full:- +full:ftp
1 ---
3 SPDX-License-Identifier: curl
4 Title: libcurl-security
7 See-also:
8   - libcurl-thread (3)
10   - All
11 ---
12 <!-- markdown-link-check-disable -->
15 libcurl-security - security considerations when using libcurl
22 powerful library, however, which allows application writers to make trade-offs
44 line options. Write them to a protected file and use the -K option to avoid
65 clear text (HTTP Basic authentication, FTP, TELNET etc). It is easy for anyone
67 tool and eavesdrop on your passwords. Do not let the fact that HTTP Basic uses
72 does not let snoopers see your password: Digest, CRAM-MD5, Kerberos, SPNEGO or
82 as long as the connection is unauthenticated. There can be a man-in-the-middle
105 redirects for security reasons: only HTTP, HTTPS, FTP and FTPS are
116 also at risk. A redirect such as **ftp://some-internal-server/private-file** would
121 or private-key protected resources,
122 e.g. **sftp://user@some-internal-server/etc/passwd**
129 E.g. **http://127.0.0.1/** or **http://intranet/delete-stuff.cgi?delete=all** or
130 **tftp://bootp-server/pc-config-data**
144 and CURLOPT_RANGE(3), libcurl sends the headers as-is and does not apply
155 server-side libcurl-using application could then use. E.g. the innocuous URL
163 non-redirected URLs, if the user is allowed to specify an arbitrary URL that
170 A malicious FTP server could in response to the PASV command return an IP
182 possible to exploit by an attacker who then perhaps can "port-scan" the
183 particular hosts - depending on how the application and servers acts.
188 based on numerical IPv4 addresses used in URLs. This is a bad and error-prone
190 specified and libcurl accepts: one to four dot-separated fields using one of
197 like 127.0.0.1 is not sufficient - the equivalent IPv6 addresses **::1**,
201 link-local and site-local that generally should not be accessed by a
202 server-side libcurl-using application. A poorly configured firewall installed
229 username and password being sent in clear text to an FTP server. Instead, use
238 **http://mail.example.com/delete-stuff.cgi?delete=all** Applications can
269 networks etc. This resulted in CVE-2019-15601 and the associated security fix.
278 protect users against. It would just be a whack-a-mole race we do not want to
293 If your curl-using script allow a custom URL do you also, perhaps
300 you thought, "ftp://" or "imap://" might be what the user gives your
301 application. Also, cross-protocol operations might be done by using a
303 on a non-standard port.
307 ## Use --proto
309 curl command lines can use *--proto* to limit what URL schemes it accepts
337 # FTP uses two connections
339 When performing an FTP transfer, two TCP connections are used: one for setting
342 FTP is not only unauthenticated, but the setting up of the second transfer is
349 man-in-the-middle or that there is a malicious server pretending to be the
352 A malicious FTP server can respond to PASV commands with the IP+PORT of a
355 Distributed Denial-Of-Service attack out of it. If the client makes an upload
362 to send an FTP PORT command to ask the server to connect to a third party host
365 The fact that FTP uses two connections makes it vulnerable in a way that is
368 # Active FTP passes on the local IP address
370 If you use curl/libcurl to do *active* FTP transfers, curl passes on the
371 address of your local IP to the remote server - even when for example using a
378 could effectively result in a denial-of-service attack. The
390 denial-of-service. This can be mitigated by using the
395 User-supplied data must be sanitized when used in options like
402 # Server-supplied Names
405 filename. The curl command-line tool does this with *--remote-header-name*,
406 using the Content-disposition: header to generate a filename. An application
408 server-supplied redirect URL. Special care must be taken to sanitize such
431 security-related data. Besides the obvious candidates like usernames and
441 libcurl-using applications that set the 'setuid' bit to run with elevated or
467 libcurl to be used for upcoming transfers, those secrets are kept around as-is