granicus.if.org Git - curl/commit

author	Daniel Stenberg <daniel@haxx.se>
	Mon, 2 Mar 2009 23:05:31 +0000 (23:05 +0000)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 2 Mar 2009 23:05:31 +0000 (23:05 +0000)
commit	042cc1f69ec0878f542667cb684378869f859911
tree	c906f85632eb6018fadb153a4c5cdd2fe48072a5	tree \| snapshot
parent	90b804d3fa74e9d4fe260c889e9ccebdb7aaa3b1	commit \| diff

- David Kierznowski notified us about a security flaw
  (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
  which previous libcurl versions (by design) can be tricked to access an
  arbitrary local/different file instead of a remote one when
  CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
  together this the addition of two new setopt options for controlling this
  new behavior:

  o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
  follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
  excludes the FILE and SCP protocols and thus you nee to explicitly allow
  them in your app if you really want that behavior.

  o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
  using the primary URL option. This is useful if you want to allow a user or
  other outsiders control what URL to pass to libcurl and yet not allow all
  protocols libcurl may have been built to support.

CHANGES		diff \| blob \| history
RELEASE-NOTES		diff \| blob \| history
docs/libcurl/curl_easy_setopt.3		diff \| blob \| history
docs/libcurl/symbols-in-versions		diff \| blob \| history
include/curl/curl.h		diff \| blob \| history
lib/url.c		diff \| blob \| history
lib/urldata.h		diff \| blob \| history