diff options
author | Daniel Stenberg <daniel@haxx.se> | 2021-04-23 16:32:19 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2021-04-23 16:32:19 +0200 |
commit | 18804d3abbe398b1ef2efc6ac579c8e92c0316cd (patch) | |
tree | 036e2b8c8b9e83a0019c018d75976a3449da3f23 | |
parent | a4554b2c5e7c5788c8198001598818599c60ff7d (diff) | |
download | curl-18804d3abbe398b1ef2efc6ac579c8e92c0316cd.tar.gz |
libcurl-security.3: don't try to filter IPv4 hosts based on the URLbagder/security-ipv4
-rw-r--r-- | docs/libcurl/libcurl-security.3 | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3 index 705e2c7ef..b4907ac22 100644 --- a/docs/libcurl/libcurl-security.3 +++ b/docs/libcurl/libcurl-security.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. +.\" * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -162,6 +162,12 @@ Allowing your application to connect to local hosts, be it the same machine that runs the application or a machine on the same local network, might be possible to exploit by an attacker who then perhaps can "port-scan" the particular hosts - depending on how the application and servers acts. +.SH "IPv4 Addresses" +Some users might be tempted to filter access to local resources or similar +based on numerical IPv4 addresses used in URLs. This is a bad and error-prone +idea because of the many different ways a numerical IPv4 address can be +specified and libcurl accepts: one to four dot-separated fields using one of +or a mix of decimal, octal or hexadecimal encoding. .SH "IPv6 Addresses" libcurl will normally handle IPv6 addresses transparently and just as easily as IPv4 addresses. That means that a sanitizing function that filters out |