On Tue, 14 Dec 2021, Ayesh Karunaratne via curl-library wrote:
With the addition of CURLOPT_PREREQFUNCTION, one could write a callback function to selectively block requests to certain IP/port ranges. This is great, and I think it comes handy when trying to prevent SSRF vulnerabilities by blocking the request if it directs to an IP address that is reserved or private.
Isn't the solution to this, and a remedy to many other attacks at the same time, rather to use a secure protocol? If you use a TLS or SSH based protocol, it doesn't matter if someone manages to trick curl to connect to the wrong address as it won't survive the handshake anyway!
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
