Andrew Ballard schreef: > On Thu, Mar 12, 2009 at 12:39 PM, Niki <u...@domain.invalid> wrote: >> Jochem Maas ha scritto: >>> essentially, yes. note that if someone can upload a script and run it, a >>> bug in curl in the least of your worries. you have already been owned. >> Yes, obviously. :D I agree with you. :) >> >>> the curl issue is more pertinent to situations where one is using curl >>> with CURLOPT_FOLLOWLOCATION (which seems like you'd want to use it >>> normally) >>> and an attacker has some idea about how to be on the receiving end of the >>> curl call ... there by allowing them to make your curl call eat some nasty >>> url >>> (which may cause you to disclose sensitive info the the callee, that was >>> intended, >>> for example, for a ligitemate webservice ... at least that's the way I >>> understand it (hopefully someone will correct me if I've got my wires >>> crossed) >> I'm not so sure that I've understood... The attack could be successful when >> libcurl extension is activated and there a php page on the server that >> accepts an URL from the client passing it to cURL function. Is it correct? >> If so, I think this could be considered only as an example of awful >> programming. Isn't it?
yes, but the problem could also be due to DNS spoofing or some hijacking technique used on the server that one is talking to via curl, i.e. it's likely not something you can necessarily control via your own code. >> >>> P.S. please use a valid email address. >> I never use valid e-mail address in order to protect me from spam. If there >> is a sort of "manifesto" that users must follow to send messages here I will >> surely specify my true e-mail address. >> >> Thank you very much again! ;) >> > > Not a "manifesto", but the standard advice given to people who post to > this list is to use Reply-All when replying to the list. If your > address is invalid, people will have to manually remove it from the > list of recipients or else they will get a bounce response when it > tries to send to your u...@domain.invalid address. which is annoying. people are fickle, you'd rather they didn't skip past your questions. we use Reply-All because hitting Reply doesn't reply to the list but to the OP ... and discussions should generally stay on the list. it basically comes down to 'just live with it', the spam that is, and make sure you have some decent filtering in place. > > Andrew > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
