Skip to content
  • Daniel Stenberg's avatar
    - David Kierznowski notified us about a security flaw · 042cc1f6
    Daniel Stenberg authored
      (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
      which previous libcurl versions (by design) can be tricked to access an
      arbitrary local/different file instead of a remote one when
      CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
      together this the addition of two new setopt options for controlling this
      new behavior:
    
      o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
      follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
      excludes the FILE and SCP protocols and thus you nee to explicitly allow
      them in your app if you really want that behavior.
    
      o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
      using the primary URL option. This is useful if you want to allow a user or
      other outsiders control what URL to pass to libcurl and yet not allow all
      protocols libcurl may have been built to support.
    042cc1f6
To find the state of this project's repository at the time of any of these versions, check out the tags.