[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities
From: |
Dale R. Worley |
Subject: |
Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities |
Date: |
Sun, 31 Dec 2017 09:13:47 -0500 |
Kristian Erik Hermansen <address@hidden> writes:
> I still contend that this is at least a bug, and potentially a
> security issue, but only when the headers are ones that should NEVER
> have multiple values.
I agree with others that it's not clear that there's a security issue
here. It appears that wget/curl can be used to generate HTTP requests
(or pseudo-HTTP requests) that might exploit security problems in web
servers, but that's the web servers' problem, not wget's/curl's.
Certainly, making sure that wget/curl can't generate such requests
doesn't stop the black-hats from generating them by other means.
Dale