diff options
| author | Jay Satiro <raysatiro@yahoo.com> | 2019-07-16 03:35:54 -0400 |
|---|---|---|
| committer | Jay Satiro <raysatiro@yahoo.com> | 2019-07-17 00:48:40 -0400 |
| commit | e8442e4ffcecf3e290c7e26c44e4aa313e016f9a (patch) | |
| tree | 71a78f4cb2afd84d1479f126affbfe3857a13eab /docs/libcurl | |
| parent | 647e726d78798356b5af7585ededd762ba76df6e (diff) | |
libcurl: Restrict redirect schemes (follow-up)
- Allow FTPS on redirect.
- Update default allowed redirect protocols in documentation.
Follow-up to 6080ea0.
Ref: https://github.com/curl/curl/pull/4094
Closes https://github.com/curl/curl/pull/4115
Diffstat (limited to 'docs/libcurl')
| -rw-r--r-- | docs/libcurl/libcurl-security.3 | 4 | ||||
| -rw-r--r-- | docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3 | 3 | ||||
| -rw-r--r-- | docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3 | 9 |
3 files changed, 9 insertions, 7 deletions
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3 index cdb97915c..da45ed7f6 100644 --- a/docs/libcurl/libcurl-security.3 +++ b/docs/libcurl/libcurl-security.3 @@ -97,8 +97,8 @@ Never ever switch off certificate verification. The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP redirects sent by a remote server. These redirects can refer to any kind of URL, not just HTTP. libcurl restricts the protocols allowed to be used in -redirects for security reasons: only HTTP, HTTPS and FTP are enabled by -default. Applications may opt to restrict thus set further. +redirects for security reasons: only HTTP, HTTPS, FTP and FTPS are +enabled by default. Applications may opt to restrict that set further. A redirect to a file: URL would cause the libcurl to read (or write) arbitrary files from the local filesystem. If the application returns the data back to diff --git a/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3 b/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3 index f8d2b1889..d9f453817 100644 --- a/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3 +++ b/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3 @@ -39,7 +39,8 @@ libcurl will follow. libcurl limits what protocols it automatically follows to. The accepted protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP. By default libcurl -will allow all protocols on redirect except those disabled for security +will allow HTTP, HTTPS, FTP and FTPS on redirect (7.65.2). Older versions of +libcurl allowed all protocols on redirect except those disabled for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 SMB and SMBS are also disabled. diff --git a/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3 b/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3 index 3a5c3fcdc..f8901108b 100644 --- a/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3 +++ b/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3 @@ -37,10 +37,11 @@ redirections. Protocols denied by \fICURLOPT_PROTOCOLS(3)\fP are not overridden by this option. -By default libcurl will allow all protocols on redirect except several disabled -for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 -SMB and SMBS are also disabled. \fICURLPROTO_ALL\fP enables all protocols on -redirect, including those disabled for security. +By default libcurl will allow HTTP, HTTPS, FTP and FTPS on redirect (7.65.2). +Older versions of libcurl allowed all protocols on redirect except several +disabled for security reasons: Since 7.19.4 FILE and SCP are disabled, and +since 7.40.0 SMB and SMBS are also disabled. \fICURLPROTO_ALL\fP enables all +protocols on redirect, including those disabled for security. These are the available protocol defines: .nf |