docs: Update the redirect protocols disabled by default

- Clarify that FILE and SCP are disabled by default since 7.19.4 - Add that SMB and SMBS are disabled by default since 7.40.0 - Add CURLPROTO_SMBS to the list of protocols

docs: Update the redirect protocols disabled by default
1f1f131e · Jay Satiro · 9518139c · 1f1f131e · 1f1f131e · 1f1f131e
Commit 1f1f131e authored 9 years ago by Jay Satiro
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1313,8 +1313,20 @@ as concatenating the protocols into one instance of the option.

 (Added in 7.20.2)
 .IP "--proto-redir <protocols>"
-Tells curl to use the listed protocols after a redirect. See --proto for
-how protocols are represented.
+Tells curl to use the listed protocols on redirect. See --proto for how
+protocols are represented.
+
+Example:
+
+.RS
+.IP "--proto-redir -all,http,https"
+Allow only HTTP and HTTPS on redirect.
+.RE
+
+By default curl will allow all protocols on redirect except several disabled
+for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0
+SMB and SMBS are also disabled. Specifying \fIall\fP or \fI+all\fP enables all
+protocols on redirect, including those disabled for security.

 (Added in 7.20.2)
 .IP "--proxy-anyauth"

--- a/docs/libcurl/libcurl-tutorial.3
+++ b/docs/libcurl/libcurl-tutorial.3
@@ -1086,11 +1086,15 @@ NTLM authentication, HTTPS, FTPS, SCP and SFTP are a few examples.
 .IP "Redirects"
 The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP
 redirects sent by a remote server.  These redirects can refer to any kind of
-URL, not just HTTP.  A redirect to a file: URL would cause the libcurl to read
-(or write) arbitrary files from the local filesystem.  If the application
-returns the data back to the user (as would happen in some kinds of CGI
-scripts), an attacker could leverage this to read otherwise forbidden data
-(e.g.  file://localhost/etc/passwd).
+URL, not just HTTP. By default libcurl will allow all protocols on redirect
+except several disabled for security reasons: Since 7.19.4 FILE and SCP are
+disabled, and since 7.40.0 SMB and SMBS are also disabled.
+
+A redirect to a file: URL would cause the libcurl to read (or write) arbitrary
+files from the local filesystem.  If the application returns the data back to
+the user (as would happen in some kinds of CGI scripts), an attacker could
+leverage this to read otherwise forbidden data (e.g.
+file://localhost/etc/passwd).

 If authentication credentials are stored in the ~/.netrc file, or Kerberos
 is in use, any other URL type (not just file:) that requires

--- a/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3
+++ b/docs/libcurl/opts/CURLOPT_FOLLOWLOCATION.3
@@ -37,8 +37,10 @@ returned. \fICURLOPT_MAXREDIRS(3)\fP can be used to limit the number of
 redirects libcurl will follow.

 libcurl can limit to what protocols it will automatically follow. The accepted
-protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP and it excludes the
-FILE protocol by default.
+protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP. By default libcurl
+will allow all protocols on redirect except several disabled for security
+reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 SMB and SMBS
+are also disabled.

 For users who think the existing location following is too naive, too simple
 or just lacks features, it is very easy to instead implement your own redirect

--- a/docs/libcurl/opts/CURLOPT_PROTOCOLS.3
+++ b/docs/libcurl/opts/CURLOPT_PROTOCOLS.3
@@ -60,6 +60,7 @@ CURLPROTO_RTSP
 CURLPROTO_SCP
 CURLPROTO_SFTP
 CURLPROTO_SMB
+CURLPROTO_SMBS
 CURLPROTO_SMTP
 CURLPROTO_SMTPS
 CURLPROTO_TELNET

--- a/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3
+++ b/docs/libcurl/opts/CURLOPT_REDIR_PROTOCOLS.3
@@ -32,8 +32,12 @@ Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask
 limits what protocols libcurl may use in a transfer that it follows to in a
 redirect when \fICURLOPT_FOLLOWLOCATION(3)\fP is enabled. This allows you to
 limit specific transfers to only be allowed to use a subset of protocols in
-redirections. By default libcurl will allow all protocols except for FILE and
-SCP.
+redirections.
+
+By default libcurl will allow all protocols on redirect except several disabled
+for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0
+SMB and SMBS are also disabled. \fICURLPROTO_ALL\fP enables all protocols on
+redirect, including those disabled for security.

 These are the available protocol defines:
 .nf
@@ -60,13 +64,14 @@ CURLPROTO_RTSP
 CURLPROTO_SCP
 CURLPROTO_SFTP
 CURLPROTO_SMB
+CURLPROTO_SMBS
 CURLPROTO_SMTP
 CURLPROTO_SMTPS
 CURLPROTO_TELNET
 CURLPROTO_TFTP
 .fi
 .SH DEFAULT
-All protocols except for FILE, SCP and SMB.
+All protocols except for FILE, SCP and since 7.40.0 SMB and SMBS.
 .SH PROTOCOLS
 All
 .SH EXAMPLE