diff options
author | Daniel Stenberg <daniel@haxx.se> | 2020-01-09 16:54:48 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2020-01-09 17:03:05 +0100 |
commit | d910afe531a7aa40f6fab183c2f51bf2246251bd (patch) | |
tree | 6eebf00a4b89c3082e41f02d9168efd7385728c0 | |
parent | 446665606c3db116c02a68dac0b5a0626c517bf7 (diff) | |
download | curl-bagder/security-file-proc.tar.gz |
libcurl-security.3: emphasize potential FILE: and local files problembagder/security-file-proc
Reported-by: Harry Sintonen
-rw-r--r-- | docs/libcurl/libcurl-security.3 | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3 index da45ed7f6..38154daa0 100644 --- a/docs/libcurl/libcurl-security.3 +++ b/docs/libcurl/libcurl-security.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. +.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -216,6 +216,11 @@ access, or attempted access, to a local resource. If your application wants to avoid that, keep control of what URLs to use and/or prevent curl/libcurl from using the protocol. +Most systems have local resources that hold potentially sensitive information. +If you can feed a FILE: URL to a remote service, making it show the contents +of its local /etc/passwd or certain files in /proc/ etc, it could lead to +unwanted data leakage. + By default, libcurl prohibits redirects to file:// URLs. .SH "What if the user can set the URL" Applications may find it tempting to let users set the URL that it can work |