> On 15 Dec 2022, at 09:06, Daniel Stenberg via curl-library > <curl-library@lists.haxx.se> wrote:
> After my recent blog post "IDN is crazy" [1], a few people have requested a > new option to curl that prevents it from accepting/using IDN. To reduce the > risk of getting exploited by one of the many trickeries you can do with it. The main attack vector as I understand it, is tricking users into copy/pasting a commandline with an IDN hostname in it causing the user to interact with fake.com instead of legitimate.com. If the option is a commandline option then that wouldn't really add much protection as it wouldn't be included in what is copied. An environment variable would add more protection, but would also be more cumbersome and likely less used. Another question is where to draw the line in the IDN process, if someone types a punycode URL into the commandline with the IDN option turned off, should that be allowed? It's all ASCII but it's still an IDN. I'm not convinced that it would add protection enough to warrant the added complexity. -- Daniel Gustafsson https://vmware.com/ -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html