[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 70/150: libcurl-security.3: the http://192.168.0.1/
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 70/150: libcurl-security.3: the http://192.168.0.1/my_router_config case |
Date: |
Fri, 30 Mar 2018 16:48:44 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 1e720400aaab007f7b06099f94c09ea0d59036e7
Author: Daniel Stenberg <address@hidden>
AuthorDate: Tue Feb 13 13:54:11 2018 +0100
libcurl-security.3: the http://192.168.0.1/my_router_config case
Mentioned-By: Rich Moore
---
docs/libcurl/libcurl-security.3 | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index 3334d581c..185fb6b08 100644
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -151,6 +151,11 @@ address and port number for a server local to the app
running libcurl but
behind a firewall. Applications can mitigate against this by using the
\fICURLOPT_FTP_SKIP_PASV_IP(3)\fP option or \fICURLOPT_FTPPORT(3)\fP.
+Local servers sometimes assume local access comes from friends and trusted
+users. An application that expects http://example.com/file_to_read that and
+instead gets http://192.168.0.1/my_router_config might print a file that would
+otherwise be protected by the firewall.
+
Allowing your application to connect to local hosts, be it the same machine
that runs the application or a machine on the same local network, might be
possible to exploit by an attacker who then perhaps can "port-scan" the
@@ -303,7 +308,7 @@ enabled by applications that fail to properly validate
server TLS/SSL
certificates, thus enabling a malicious server to spoof a legitimate
one. HTTPS without validated certificates is potentially as insecure as a
plain HTTP connection.
-.SH "Resport Security Problems"
+.SH "Report Security Problems"
Should you detect or just suspect a security problem in libcurl or curl,
contact the project curl security team immediately. See the separate
SECURITY.md document for details.
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 47/150: time-cond: fix reading the file modification time on Windows, (continued)
- [GNUnet-SVN] [gnurl] 47/150: time-cond: fix reading the file modification time on Windows, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 67/150: RELEASE-NOTES: synced with e551910f8, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 43/150: time_t-fixes: remove typecasts to 'long' for info.filetime, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 82/150: TODO: 1.7 Support HTTP/2 for HTTP(S) proxies, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 50/150: openssl: Don't add verify locations when verifypeer==0, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 42/150: curl_setup: move the precautionary define of SIZEOF_TIME_T, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 28/150: time: support > year 2038 time stamps for system with 32bit long, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 49/150: build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 83/150: TODO: 1.1 Option to refuse usernames in URLs, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 57/150: content_encoding: Add "none" alias to "identity", gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 70/150: libcurl-security.3: the http://192.168.0.1/my_router_config case,
gnunet <=
- [GNUnet-SVN] [gnurl] 106/150: TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 85/150: CURLOPT_HEADERFUNCTION.3: fix typo from d939226813, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 73/150: BINDINGS: fix curb link (and remove ruby-curl-multi), gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 122/150: winbuild: prefer documented zlib library names, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 44/150: build: fix termios issue on android cross-compile, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 37/150: build: fix windows build methods for curl_ctype.c, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 75/150: nss: use PK11_CreateManagedGenericObject() if available, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 58/150: schannel: fix "no previous prototype" compiler warning, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 56/150: build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 90/150: CURLOPT_HEADER.3: clarify problems with different data sizes, gnunet, 2018/03/30