On Tue, 31 Oct 2017, Ryan Schmidt wrote:
Today's curl (7.56.1) automatically enables the use of libidn2, unless
explicitly disabled via the --without-libidn2 configure flag.
Do I take this to mean that curl with libidn2 is not considered dangerous
anymore, and that it is now recommended for package maintainers to ship curl
with libidn2 support enabled by default?
Well yes. libidn2 was never vulnerable for this problem so once we added
support for that and dropped libidn, we could again support IDN fine in curl.
libidn2 is another library than libidn.
If so, is there a reason for us to give the user a way to disable that
support or should we just enable it all the time? (In MacPorts, we prefer to
limit user choices to the essentials; we don't expose every configure flag
just because it's there.)
No, there's no known security reason to avoid enabling libidn2 in curl builds.
For generic curl builds I would recommend building with it so that users can
use international domain names in URLs.
--
/ daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html