A couple of quick points: "Localhost is hard to protect" says "may be possible to exploit to "port-scan" the particular hosts". I think that needs a slight rewording.
I had never heard of WHATWG - perhaps a link to https://daniel.haxx.se/blog/tag/whatwg/ (etc) might be helpful. Pete -------------------------------------------- On Tue, 6/2/18, Daniel Stenberg <[email protected]> wrote: Subject: "URLs are dangerous things" To: "libcurl hacking" <[email protected]> Date: Tuesday, 6 February, 2018, 7:24 Hi friends, Every now and then we get security problems reported to us that are really just various types of attacks you can do if you can either A) modify the url your curl application is using and/or B) have a server respond with a perfectly fine protocol-wise but malicious response to curl. Letting users freely set the URL, or parts of the URL, for your curl-using application can get consequences. I've started to document exactly what consequences and how: https://gist.github.com/bagder/c22b31fab3bf9e21ff82f872bd5bd372#file-urls-in-curl-md I'm interested in feedback and help in polishing it up to actually be helpful. -- / daniel.haxx.se ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
