On Thu, Mar 12, 2009 at 12:39 PM, Niki <u...@domain.invalid> wrote:
> Jochem Maas ha scritto:
>>
>> essentially, yes. note that if someone can upload a script and run it, a
>> bug in curl in the least of your worries. you have already been owned.
>
> Yes, obviously. :D I agree with you. :)
>
>>
>> the curl issue is more pertinent to situations where one is using curl
>> with CURLOPT_FOLLOWLOCATION (which seems like you'd want to use it
>> normally)
>> and an attacker has some idea about how to be on the receiving end of the
>> curl call ... there by allowing them to make your curl call eat some nasty
>> url
>> (which may cause you to disclose sensitive info the the callee, that was
>> intended,
>> for example, for a ligitemate webservice ... at least that's the way I
>> understand it (hopefully someone will correct me if I've got my wires
>> crossed)
>
> I'm not so sure that I've understood...  The attack could be successful when
> libcurl extension is activated and there a php page on the server that
> accepts an URL from the client passing it to cURL function. Is it correct?
> If so, I think this could be considered only as an example of awful
> programming. Isn't it?
>
>
>>
>> P.S. please use a valid email address.
>
> I never use valid e-mail address in order to protect me from spam. If there
> is a sort of "manifesto" that users must follow to send messages here I will
> surely specify my true e-mail address.
>
> Thank you very much again! ;)
>

Not a "manifesto", but the standard advice given to people who post to
this list is to use Reply-All when replying to the list. If your
address is invalid, people will have to manually remove it from the
list of recipients or else they will get a bounce response when it
tries to send to your u...@domain.invalid address.

Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to