aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2015-08-18 01:18:27 -0400
committerJay Satiro <raysatiro@yahoo.com>2015-08-18 01:38:07 -0400
commit1f1f131e09d2a9cd3d5859d321a1ec9b127f0a78 (patch)
tree27dd22f0a97f90ebff61a4f56d472b87e75913f8
parent9518139c73452251b5ea4371d41cc3fa4532a0f9 (diff)
docs: Update the redirect protocols disabled by default
- Clarify that FILE and SCP are disabled by default since 7.19.4 - Add that SMB and SMBS are disabled by default since 7.40.0 - Add CURLPROTO_SMBS to the list of protocols
-rw-r--r--docs/curl.116
-rw-r--r--docs/libcurl/libcurl-tutorial.314
-rw-r--r--docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.36
-rw-r--r--docs/libcurl/opts/CURLOPT_PROTOCOLS.31
-rw-r--r--docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.311
5 files changed, 36 insertions, 12 deletions
diff --git a/docs/curl.1 b/docs/curl.1
index dd17f5512..be41d25b7 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1313,8 +1313,20 @@ as concatenating the protocols into one instance of the option.
(Added in 7.20.2)
.IP "--proto-redir <protocols>"
-Tells curl to use the listed protocols after a redirect. See --proto for
-how protocols are represented.
+Tells curl to use the listed protocols on redirect. See --proto for how
+protocols are represented.
+
+Example:
+
+.RS
+.IP "--proto-redir -all,http,https"
+Allow only HTTP and HTTPS on redirect.
+.RE
+
+By default curl will allow all protocols on redirect except several disabled
+for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0
+SMB and SMBS are also disabled. Specifying \fIall\fP or \fI+all\fP enables all
+protocols on redirect, including those disabled for security.
(Added in 7.20.2)
.IP "--proxy-anyauth"
diff --git a/docs/libcurl/libcurl-tutorial.3 b/docs/libcurl/libcurl-tutorial.3
index 558652c21..506537901 100644
--- a/docs/libcurl/libcurl-tutorial.3
+++ b/docs/libcurl/libcurl-tutorial.3
@@ -1086,11 +1086,15 @@ NTLM authentication, HTTPS, FTPS, SCP and SFTP are a few examples.
.IP "Redirects"
The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP
redirects sent by a remote server. These redirects can refer to any kind of
-URL, not just HTTP. A redirect to a file: URL would cause the libcurl to read
-(or write) arbitrary files from the local filesystem. If the application
-returns the data back to the user (as would happen in some kinds of CGI
-scripts), an attacker could leverage this to read otherwise forbidden data
-(e.g. file://localhost/etc/passwd).
+URL, not just HTTP. By default libcurl will allow all protocols on redirect
+except several disabled for security reasons: Since 7.19.4 FILE and SCP are
+disabled, and since 7.40.0 SMB and SMBS are also disabled.
+
+A redirect to a file: URL would cause the libcurl to read (or write) arbitrary
+files from the local filesystem. If the application returns the data back to
+the user (as would happen in some kinds of CGI scripts), an attacker could
+leverage this to read otherwise forbidden data (e.g.
+file://localhost/etc/passwd).
If authentication credentials are stored in the ~/.netrc file, or Kerberos
is in use, any other URL type (not just file:) that requires
diff --git a/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3 b/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3
index 3a32caef5..1ca8e34fc 100644
--- a/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3
+++ b/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3
@@ -37,8 +37,10 @@ returned. \fICURLOPT_MAXREDIRS(3)\fP can be used to limit the number of
redirects libcurl will follow.
libcurl can limit to what protocols it will automatically follow. The accepted
-protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP and it excludes the
-FILE protocol by default.
+protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP. By default libcurl
+will allow all protocols on redirect except several disabled for security
+reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 SMB and SMBS
+are also disabled.
For users who think the existing location following is too naive, too simple
or just lacks features, it is very easy to instead implement your own redirect
diff --git a/docs/libcurl/opts/CURLOPT_PROTOCOLS.3 b/docs/libcurl/opts/CURLOPT_PROTOCOLS.3
index 958eeeb9d..b7414a3c3 100644
--- a/docs/libcurl/opts/CURLOPT_PROTOCOLS.3
+++ b/docs/libcurl/opts/CURLOPT_PROTOCOLS.3
@@ -60,6 +60,7 @@ CURLPROTO_RTSP
CURLPROTO_SCP
CURLPROTO_SFTP
CURLPROTO_SMB
+CURLPROTO_SMBS
CURLPROTO_SMTP
CURLPROTO_SMTPS
CURLPROTO_TELNET
diff --git a/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3 b/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3
index fbec9f5c7..fd986b896 100644
--- a/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3
+++ b/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3
@@ -32,8 +32,12 @@ Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask
limits what protocols libcurl may use in a transfer that it follows to in a
redirect when \fICURLOPT_FOLLOWLOCATION(3)\fP is enabled. This allows you to
limit specific transfers to only be allowed to use a subset of protocols in
-redirections. By default libcurl will allow all protocols except for FILE and
-SCP.
+redirections.
+
+By default libcurl will allow all protocols on redirect except several disabled
+for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0
+SMB and SMBS are also disabled. \fICURLPROTO_ALL\fP enables all protocols on
+redirect, including those disabled for security.
These are the available protocol defines:
.nf
@@ -60,13 +64,14 @@ CURLPROTO_RTSP
CURLPROTO_SCP
CURLPROTO_SFTP
CURLPROTO_SMB
+CURLPROTO_SMBS
CURLPROTO_SMTP
CURLPROTO_SMTPS
CURLPROTO_TELNET
CURLPROTO_TFTP
.fi
.SH DEFAULT
-All protocols except for FILE, SCP and SMB.
+All protocols except for FILE, SCP and since 7.40.0 SMB and SMBS.
.SH PROTOCOLS
All
.SH EXAMPLE