[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 12/264: docs: add warnings about FILE: URLs on Windows
From: |
gnunet |
Subject: |
[gnurl] 12/264: docs: add warnings about FILE: URLs on Windows |
Date: |
Thu, 30 Apr 2020 16:05:15 +0200 |
This is an automated email from the git hooks/post-receive script.
nikita pushed a commit to branch master
in repository gnurl.
commit 0845ecbb6dcaadad4a4891f7e85efb8c8e626ff6
Author: Daniel Stenberg <address@hidden>
AuthorDate: Mon Mar 9 14:59:21 2020 +0100
docs: add warnings about FILE: URLs on Windows
- --url man page section
- libcurl-security.3 gets the full text
- CURLOPT_URL.3
Reported-by: Tim Sedlmeyer
---
docs/cmdline-opts/url.d | 3 +++
docs/libcurl/libcurl-security.3 | 28 +++++++++++++++++++++++++++-
docs/libcurl/opts/CURLOPT_URL.3 | 6 +++++-
3 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/docs/cmdline-opts/url.d b/docs/cmdline-opts/url.d
index ce52cdf06..991f1f27c 100644
--- a/docs/cmdline-opts/url.d
+++ b/docs/cmdline-opts/url.d
@@ -13,3 +13,6 @@ setting a default protocol, see --proto-default for details.
This option may be used any number of times. To control where this URL is
written, use the --output or the --remote-name options.
+
+Warning: On Windows, particular file:// accesses can be converted to network
+accesses by the operating system. Beware!
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index da45ed7f6..f340facd3 100644
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <address@hidden>, et al.
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <address@hidden>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@@ -217,6 +217,32 @@ avoid that, keep control of what URLs to use and/or
prevent curl/libcurl from
using the protocol.
By default, libcurl prohibits redirects to file:// URLs.
+
+.SH "Warning: file:// on Windows"
+The Windows operating system will automatically, and without any way for
+applications to disable it, try to establish a connection to another host over
+the network and access it (over SMB or other protocols), if only the correct
+file path is accessed.
+
+When first realizing this, the curl team tried to filter out such attempts in
+order to protect applications for inadvertent probes of for example internal
+networks etc. This resulted in CVE-2019-15601 and the associated security fix.
+
+However, we've since been made aware of the fact that the previous fix was far
+from adequate as there are several other ways to accomplish more or less the
+same thing: accessing a remote host over the network instead of the local file
+system.
+
+The conclusion we have come to is that this is a weakness or feature in the
+Windows operating system itself, that we as an application cannot safely
+protect users against. It would just be a whack-a-mole race we don't want to
+participate in. There are too many ways to do it and there's no knob we can
+use to turn off the practice.
+
+If you use curl or libcurl on Windows (any version), disable the use of the
+FILE protocol in curl or be prepared that accesses to a range of "magic paths"
+will potentially make your system try to access other hosts on your
+network. curl cannot protect you against this.
.SH "What if the user can set the URL"
Applications may find it tempting to let users set the URL that it can work
on. That's probably fine, but opens up for mischief and trickery that you as
diff --git a/docs/libcurl/opts/CURLOPT_URL.3 b/docs/libcurl/opts/CURLOPT_URL.3
index c88a1f12c..a5dcf9167 100644
--- a/docs/libcurl/opts/CURLOPT_URL.3
+++ b/docs/libcurl/opts/CURLOPT_URL.3
@@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <address@hidden>, et al.
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <address@hidden>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@@ -152,6 +152,10 @@ path.
ftp://user:address@hidden//readme.txt - This retrieves the readme.txt
from the root directory when logging in as a specified user.
+.IP FILE
+When a FILE:// URL is accessed on Windows systems, it can be crafted in a way
+so that Windows attempts to connect to a (remote) machine when curl wants to
+read or write such a path.
.IP SMTP
The path part of a SMTP request specifies the host name to present during
communication with the mail server. If the path is omitted then libcurl will
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 29/264: ci/tests: fix Azure Pipelines not running for pull requests, (continued)
- [gnurl] 29/264: ci/tests: fix Azure Pipelines not running for pull requests, gnunet, 2020/04/30
- [gnurl] 28/264: gskit: update the copyright year range, gnunet, 2020/04/30
- [gnurl] 31/264: tool_operate: fix add_parallel_transfers when more are in queue, gnunet, 2020/04/30
- [gnurl] 38/264: writeout_json: add missing comma to fix the HTTP version, gnunet, 2020/04/30
- [gnurl] 18/264: connect: happy eyeballs cleanup, gnunet, 2020/04/30
- [gnurl] 26/264: tests: fix verification of stdout in test 1452 due to newline, gnunet, 2020/04/30
- [gnurl] 35/264: CI: stop ignoring 323, it is disabled, gnunet, 2020/04/30
- [gnurl] 36/264: writeout: support to generate JSON output, gnunet, 2020/04/30
- [gnurl] 32/264: cmake: add support for building with wolfSSL, gnunet, 2020/04/30
- [gnurl] 41/264: schannel: add "best effort" revocation check option, gnunet, 2020/04/30
- [gnurl] 12/264: docs: add warnings about FILE: URLs on Windows,
gnunet <=
- [gnurl] 47/264: tests: make Python-based servers compatible with Python 2 and 3, gnunet, 2020/04/30
- [gnurl] 45/264: RELEASE-NOTES: synced, gnunet, 2020/04/30
- [gnurl] 48/264: openssl: remove the BACKEND define kludge, gnunet, 2020/04/30
- [gnurl] 49/264: gnutls: remove the BACKEND define kludge, gnunet, 2020/04/30
- [gnurl] 44/264: RELEASE-NOTES: synced, gnunet, 2020/04/30
- [gnurl] 51/264: wolfssl: remove the BACKEND define kludge, gnunet, 2020/04/30
- [gnurl] 33/264: ci/tests: increase timeouts for torture builds on Azure Pipelines, gnunet, 2020/04/30
- [gnurl] 59/264: ci/tests: fix Azure Pipelines not running Windows containers, gnunet, 2020/04/30
- [gnurl] 54/264: secure transport: remove the BACKEND define kludge, gnunet, 2020/04/30
- [gnurl] 57/264: cmdline: fix handling of OperationConfig linked list (--next), gnunet, 2020/04/30