[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 56/163: libcurl-security.3: improved layout for two
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 56/163: libcurl-security.3: improved layout for two rememdy lists |
Date: |
Sun, 05 Aug 2018 12:36:22 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 71d35e4a1d96011076d3e81cad4e7b417d9a3985
Author: Daniel Stenberg <address@hidden>
AuthorDate: Thu May 31 11:19:05 2018 +0200
libcurl-security.3: improved layout for two rememdy lists
---
docs/libcurl/libcurl-security.3 | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index f5f510e2c..79952d314 100644
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -88,9 +88,11 @@ have been injected by an attacker. The data that curl sends
might be modified
before it reaches the intended server. If it even reaches the intended server
at all.
-Remedies include:
- - Restrict operations to authenticated transfers
- - Make sure the server's certificate etc is verified
+Remedies:
+.IP "Restrict operations to authenticated transfers"
+Ie use authenticated protocols protected with HTTPS or SSH.
+.IP "Make sure the server's certificate etc is verified"
+Never ever switch off certificate verification.
.SH "Redirects"
The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP
redirects sent by a remote server. These redirects can refer to any kind of
@@ -233,11 +235,13 @@ particular scheme in the URL but point to a server doing
a different protocol
on a non-standard port.
Remedies:
-
- - curl command lines can use \fI--proto\fP to limit what schemes it accepts
- - libcurl programs can use \fICURLOPT_PROTOCOLS(3)\fP
- - consider not allowing the user to set the full URL
- - consider strictly filtering input to only allow specific choices
+.IP "Use --proto"
+curl command lines can use \fI--proto\fP to limit what URL schemes it accepts
+.IP "Use CURLOPT_PROTOCOLS"
+libcurl programs can use \fICURLOPT_PROTOCOLS(3)\fP to limit what URL schemes
it accepts
+.IP "consider not allowing the user to set the full URL"
+Maybe just let the user provide data for parts of it? Or maybe filter input to
+only allow specific choices?
.SH "RFC 3986 vs WHATWG URL"
curl supports URLs mostly according to how they are defined in RFC 3986, and
has done so since the beginning.
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 59/163: tests: update .gitignore for libtests, (continued)
- [GNUnet-SVN] [gnurl] 59/163: tests: update .gitignore for libtests, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 72/163: cmdline-opts/cert-type.d: mention "p12" as a recognized type as well, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 75/163: tests/libtests/Makefile.am: Add lib1521.c to CLEANFILES, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 46/163: fnmatch: insist on escaped bracket to match, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 63/163: os400: add new option in ILE/RPG binding, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 62/163: tests/libtest/.gitignore: follow-up fix to ignore lib5* too, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 43/163: RELEASE-NOTES: synced, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 48/163: INSTALL: LDFLAGS=-Wl, -R/usr/local/ssl/lib, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 49/163: cmake: fixed comments in compile checks code, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 69/163: axTLS: not considered fit for use, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 56/163: libcurl-security.3: improved layout for two rememdy lists,
gnunet <=
- [GNUnet-SVN] [gnurl] 66/163: multi: remove a DEBUGF(), gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 78/163: RELEASE-PROCEDURE: update the release calendar for 2019, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 74/163: tests/libtest: Add lib1521 to nodist_SOURCES, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 79/163: RELEASE-NOTES: synced, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 54/163: curl.rc: embed manifest for correct Windows version detection, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 51/163: setopt: add TLS 1.3 ciphersuites, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 30/163: httpauth: add support for Bearer tokens, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 55/163: libcurl-security.3: refer to URL instead of in-source markdown file, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 08/163: getinfo: add microsecond precise timers for various intervals, gnunet, 2018/08/05
- [GNUnet-SVN] [gnurl] 58/163: strictness: correct {infof, failf} format specifiers, gnunet, 2018/08/05