-
- Downloads
- David Kierznowski notified us about a security flaw
(http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in which previous libcurl versions (by design) can be tricked to access an arbitrary local/different file instead of a remote one when CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release together this the addition of two new setopt options for controlling this new behavior: o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option excludes the FILE and SCP protocols and thus you nee to explicitly allow them in your app if you really want that behavior. o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch using the primary URL option. This is useful if you want to allow a user or other outsiders control what URL to pass to libcurl and yet not allow all protocols libcurl may have been built to support.
Showing
- CHANGES 21 additions, 0 deletionsCHANGES
- RELEASE-NOTES 8 additions, 2 deletionsRELEASE-NOTES
- docs/libcurl/curl_easy_setopt.3 24 additions, 0 deletionsdocs/libcurl/curl_easy_setopt.3
- docs/libcurl/symbols-in-versions 15 additions, 0 deletionsdocs/libcurl/symbols-in-versions
- include/curl/curl.h 27 additions, 0 deletionsinclude/curl/curl.h
- lib/url.c 35 additions, 1 deletionlib/url.c
- lib/urldata.h 22 additions, 13 deletionslib/urldata.h
Loading
Please register or sign in to comment