summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-02-13 14:04:04 +0100
committerDaniel Stenberg <daniel@haxx.se>2018-02-13 14:04:04 +0100
commit63f6b3b22077c6fd4a75ce4ceac7258509af412c (patch)
tree141116985bbb90a5a3cfb360cbaceea12615754d
parent1e720400aaab007f7b06099f94c09ea0d59036e7 (diff)
downloadcurl-63f6b3b22077c6fd4a75ce4ceac7258509af412c.tar.gz
libcurl-security.3: separate file:// section
... just to make it more apparent. Even if it repeats some pieces of information.
-rw-r--r--docs/libcurl/libcurl-security.37
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index 185fb6b08..377301ee0 100644
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -208,6 +208,13 @@ of how the SCP protocol is designed. e.g.
Applications must not allow unsanitized SCP: URLs to be passed in for
downloads.
+.SH "file://"
+By default curl and libcurl support file:// URLs. Such a URL is always an
+access, or attempted access, to a local resource. If your application wants to
+avoid that, keep control of what URLs to use and/or prevent curl/libcurl from
+using the protocol.
+
+By default, libcurl prohibits redirects to file:// URLs.
.SH "What if the user can set the URL"
Applications may find it tempting to let users set the URL that it can work
on. That's probably fine, but opens up for mischief and trickery that you as