On Oct 31, 2017, at 17:22, Daniel Stenberg wrote: > On Tue, 31 Oct 2017, Ryan Schmidt wrote: > >> Today's curl (7.56.1) automatically enables the use of libidn2, unless >> explicitly disabled via the --without-libidn2 configure flag. >> >> Do I take this to mean that curl with libidn2 is not considered dangerous >> anymore, and that it is now recommended for package maintainers to ship curl >> with libidn2 support enabled by default? > > Well yes. libidn2 was never vulnerable for this problem so once we added > support for that and dropped libidn, we could again support IDN fine in curl. > libidn2 is another library than libidn. > >> If so, is there a reason for us to give the user a way to disable that >> support or should we just enable it all the time? (In MacPorts, we prefer to >> limit user choices to the essentials; we don't expose every configure flag >> just because it's there.) > > No, there's no known security reason to avoid enabling libidn2 in curl > builds. For generic curl builds I would recommend building with it so that > users can use international domain names in URLs.
Thanks for the clarifications! I've made the change in MacPorts: https://github.com/macports/macports-ports/commit/8e960042fb486d052e9163b4f2f2a4b76f1c81dd ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
