Added section on server-supplied names to security considerations

author: Dan Fandrich <dan@coneharvesters.com> 2010-10-12 11:22:18 -0700
committer: Dan Fandrich <dan@coneharvesters.com> 2010-10-12 11:22:18 -0700
commit: 2869b6ea2b96e36873f5c59660f1870387cca390 (patch)
tree: 7eba962c361cf318ce477c5f0233dba67c8c65e4 /docs/libcurl/libcurl-tutorial.3
parent: 2d3c7b7e01d87ba6dab0e83b2fa1e9567db10086 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/libcurl/libcurl-tutorial.3 b/docs/libcurl/libcurl-tutorial.3
index 236eba056..72f002963 100644
--- a/docs/libcurl/libcurl-tutorial.3
+++ b/docs/libcurl/libcurl-tutorial.3
@@ -1237,6 +1237,15 @@ are used to generate structured data. Characters like embedded carriage
 returns or ampersands could allow the user to create additional headers or
 fields that could cause malicious transactions.
 
+.IP "Server-supplied Names"
+A server can supply data which the application may, in some cases, use as
+a file name. The curl command-line tool does this with --remote-header-name,
+using the Content-disposition: header to generate a file name.  An application
+could also use CURLINFO_EFFECTIVE_URL to generate a file name from a
+server-supplied redirect URL. Special care must be taken to sanitize such
+names to avoid the possibility of a malicious server supplying one like
+"/etc/passwd", "\autoexec.bat" or even ".bashrc".
+
 .IP "Server Certificates"
 A secure application should never use the CURLOPT_SSL_VERIFYPEER option to
 disable certificate validation. There are numerous attacks that are enabled
author	Dan Fandrich <dan@coneharvesters.com>	2010-10-12 11:22:18 -0700
committer	Dan Fandrich <dan@coneharvesters.com>	2010-10-12 11:22:18 -0700
commit	2869b6ea2b96e36873f5c59660f1870387cca390 (patch)
tree	7eba962c361cf318ce477c5f0233dba67c8c65e4 /docs/libcurl/libcurl-tutorial.3
parent	2d3c7b7e01d87ba6dab0e83b2fa1e9567db10086 (diff)