> It isn't directly a RCE, but it seems like that might be a possibility -- say > some process > was using FTP/STARTTLS to download a script to run. If a MITM can interject > content > as the top of that script, that could be unpleasant.
Sorry but with that logic almost everything becomes an RCE. It's not an RCE unless it can directly be used to run code. Changing script content (however dangerous) is not causing it to run (and for sure not by curl itself).
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
