On Tue, Feb 6, 2018 at 4:52 AM Daniel Stenberg <[email protected]> wrote:
> On Tue, 6 Feb 2018, Christian Schmitz wrote: > > > Can we disallow login & password in URLs? e.g. get an option to make > perform > > fail with error, if there is a @ in the URL before domain? > > That seems like it should be a pretty straight forward thing to add, sure! > > But in the context of "dangerous things", how do see the user + password in > the URL used to harm the application or the server? > If it’s a good idea at all, would a sane implementation method (and generalization) be string blacklisting (maybe preloaded w “@“, etc, for example)? I don’t have the cURL src in front of me, and I don’t know if “components” are testable (I.e..: “the part before the domain”), or if a regexp would fit the bill (or, perhaps both, instead of positing a false dichotomy, and being aware of “The Center Cannot Hold”[0]). Not entirely clear something like this “belongs” in cURL, but if there’s enough interest and value, probably good to have something centralized. “@“ turned out to be more interesting to me than I’d have imagined... [0] https://stackoverflow.com/a/1732454 > > And the Use SSL options being 3 would it fail with HTTP:// URL? > > CURLOPT_PROTOCOLS is the option to enable/disable specific protocols. > There's > no generic "disable all non-authenticated protocols" option. > > Of course, an interesting idea is to let CURLOPT_USE_SSL affect *all* > protocols so that you can require TLS/SSL to be used with that option even > for > HTTP(S). But that's not how that option works right now... > > -- > > / daniel.haxx.se > ------------------------------------------------------------------- > Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library > Etiquette: https://curl.haxx.se/mail/etiquette.html
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
