diff options
author | Daniel Stenberg <daniel@haxx.se> | 2009-03-02 23:05:31 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2009-03-02 23:05:31 +0000 |
commit | 042cc1f69ec0878f542667cb684378869f859911 (patch) | |
tree | c906f85632eb6018fadb153a4c5cdd2fe48072a5 /diff-exclude | |
parent | 90b804d3fa74e9d4fe260c889e9ccebdb7aaa3b1 (diff) |
- David Kierznowski notified us about a security flaw
(http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
which previous libcurl versions (by design) can be tricked to access an
arbitrary local/different file instead of a remote one when
CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
together this the addition of two new setopt options for controlling this
new behavior:
o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
excludes the FILE and SCP protocols and thus you nee to explicitly allow
them in your app if you really want that behavior.
o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
using the primary URL option. This is useful if you want to allow a user or
other outsiders control what URL to pass to libcurl and yet not allow all
protocols libcurl may have been built to support.
Diffstat (limited to 'diff-exclude')
0 files changed, 0 insertions, 0 deletions