Loading docs/libcurl/libcurl-security.3 +6 −1 Original line number Diff line number Diff line Loading @@ -151,6 +151,11 @@ address and port number for a server local to the app running libcurl but behind a firewall. Applications can mitigate against this by using the \fICURLOPT_FTP_SKIP_PASV_IP(3)\fP option or \fICURLOPT_FTPPORT(3)\fP. Local servers sometimes assume local access comes from friends and trusted users. An application that expects http://example.com/file_to_read that and instead gets http://192.168.0.1/my_router_config might print a file that would otherwise be protected by the firewall. Allowing your application to connect to local hosts, be it the same machine that runs the application or a machine on the same local network, might be possible to exploit by an attacker who then perhaps can "port-scan" the Loading Loading @@ -303,7 +308,7 @@ enabled by applications that fail to properly validate server TLS/SSL certificates, thus enabling a malicious server to spoof a legitimate one. HTTPS without validated certificates is potentially as insecure as a plain HTTP connection. .SH "Resport Security Problems" .SH "Report Security Problems" Should you detect or just suspect a security problem in libcurl or curl, contact the project curl security team immediately. See the separate SECURITY.md document for details. Loading Loading
docs/libcurl/libcurl-security.3 +6 −1 Original line number Diff line number Diff line Loading @@ -151,6 +151,11 @@ address and port number for a server local to the app running libcurl but behind a firewall. Applications can mitigate against this by using the \fICURLOPT_FTP_SKIP_PASV_IP(3)\fP option or \fICURLOPT_FTPPORT(3)\fP. Local servers sometimes assume local access comes from friends and trusted users. An application that expects http://example.com/file_to_read that and instead gets http://192.168.0.1/my_router_config might print a file that would otherwise be protected by the firewall. Allowing your application to connect to local hosts, be it the same machine that runs the application or a machine on the same local network, might be possible to exploit by an attacker who then perhaps can "port-scan" the Loading Loading @@ -303,7 +308,7 @@ enabled by applications that fail to properly validate server TLS/SSL certificates, thus enabling a malicious server to spoof a legitimate one. HTTPS without validated certificates is potentially as insecure as a plain HTTP connection. .SH "Resport Security Problems" .SH "Report Security Problems" Should you detect or just suspect a security problem in libcurl or curl, contact the project curl security team immediately. See the separate SECURITY.md document for details. Loading
