diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2015-08-18 01:18:27 -0400 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2015-08-18 01:38:07 -0400 |
commit | 1f1f131e09d2a9cd3d5859d321a1ec9b127f0a78 (patch) | |
tree | 27dd22f0a97f90ebff61a4f56d472b87e75913f8 /docs/libcurl/libcurl-tutorial.3 | |
parent | 9518139c73452251b5ea4371d41cc3fa4532a0f9 (diff) |
docs: Update the redirect protocols disabled by default
- Clarify that FILE and SCP are disabled by default since 7.19.4
- Add that SMB and SMBS are disabled by default since 7.40.0
- Add CURLPROTO_SMBS to the list of protocols
Diffstat (limited to 'docs/libcurl/libcurl-tutorial.3')
-rw-r--r-- | docs/libcurl/libcurl-tutorial.3 | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/docs/libcurl/libcurl-tutorial.3 b/docs/libcurl/libcurl-tutorial.3 index 558652c21..506537901 100644 --- a/docs/libcurl/libcurl-tutorial.3 +++ b/docs/libcurl/libcurl-tutorial.3 @@ -1086,11 +1086,15 @@ NTLM authentication, HTTPS, FTPS, SCP and SFTP are a few examples. .IP "Redirects" The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP redirects sent by a remote server. These redirects can refer to any kind of -URL, not just HTTP. A redirect to a file: URL would cause the libcurl to read -(or write) arbitrary files from the local filesystem. If the application -returns the data back to the user (as would happen in some kinds of CGI -scripts), an attacker could leverage this to read otherwise forbidden data -(e.g. file://localhost/etc/passwd). +URL, not just HTTP. By default libcurl will allow all protocols on redirect +except several disabled for security reasons: Since 7.19.4 FILE and SCP are +disabled, and since 7.40.0 SMB and SMBS are also disabled. + +A redirect to a file: URL would cause the libcurl to read (or write) arbitrary +files from the local filesystem. If the application returns the data back to +the user (as would happen in some kinds of CGI scripts), an attacker could +leverage this to read otherwise forbidden data (e.g. +file://localhost/etc/passwd). If authentication credentials are stored in the ~/.netrc file, or Kerberos is in use, any other URL type (not just file:) that requires |