From d910afe531a7aa40f6fab183c2f51bf2246251bd Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 9 Jan 2020 16:54:48 +0100
Subject: libcurl-security.3: emphasize potential FILE: and local files problem

Reported-by: Harry Sintonen
---
 docs/libcurl/libcurl-security.3 | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index da45ed7f6..38154daa0 100644
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -216,6 +216,11 @@ access, or attempted access, to a local resource. If your application wants to
 avoid that, keep control of what URLs to use and/or prevent curl/libcurl from
 using the protocol.
 
+Most systems have local resources that hold potentially sensitive information.
+If you can feed a FILE: URL to a remote service, making it show the contents
+of its local /etc/passwd or certain files in /proc/ etc, it could lead to
+unwanted data leakage.
+
 By default, libcurl prohibits redirects to file:// URLs.
 .SH "What if the user can set the URL"
 Applications may find it tempting to let users set the URL that it can work
-- 
cgit v1.2.1