It's my first time mailing this list, and thanks a lot for the immense efforts and impact Curl had made in all of our lives and software!
With the addition of CURLOPT_PREREQFUNCTION, one could write a callback function to selectively block requests to certain IP/port ranges. This is great, and I think it comes handy when trying to prevent SSRF vulnerabilities by blocking the request if it directs to an IP address that is reserved or private. As far as I'm aware, there is no configuration option that would prevent Curl from connecting to these IP addresses (apart from selectively blocking with CURLOPT_PREREQFUNCTION), and it is not possible to effectively prevent server-side request forgery attacks by preliminarily checking the destination IP address because the attacker can send a public IP address first, and the private IP address just for Curl (effectively DNS rebinding). I would like to request a feature that can be used to request Curl to abort the connection if it attempts to connect to a private or reserved IP address. For example, a CURLOPT_BLOCK_PRIVATE_IP and CURLOPT_BLOCK_RESERVED_IP pair that accepts a true/false value, and blocks IPv4 and IPv6 private/reserved IP ranges. This is effectively writing a CURLOPT_PREREQFUNCTION callback that does this in userland code, but made easier by Curl itself. I understand that these toggles might be redundant because one could write any selective blocking pattern with CURLOPT_PREREQFUNCTION, but I'm really seeing these options making things a lot easier for the layman. Thank you, Ayesh. -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
