Comments (7)
from curl.
This is by design, not a bug. We are not prepared to cause breakage to countless scripts in the world. We recommend you switch default proto or disable plain http in your .curlrc
or similar.
I would welcome a deeper discussion on how, or when, this kind of change could be done, but that's a discussion. Not an issue.
from curl.
from curl.
How about a user or site configuration option to change the default, so that people can at least volunteer to suffer the pain of broken scripts in the name of security? Or even a build option to be used by security-above-all-else distributions.
I think any site worth getting data from will give the same response on https anyway. Actually needing http seems kind of niche, and worth being explicit about.
from curl.
Well, when I say 'add an option' I don't mean an option for the diligent user (those users will, as you say, fix the URL by hand), but something to curb dangerous defaults. Your example ~/.curlrc
entries are helpful, but they also break some normal and deliberate behaviour.
What I'm thinking is configuration around this block of code:
Lines 1204 to 1220 in 5691a6c
to make the default guesses the secure choices -- while still allowing guessing and still allowing deliberate use of http as appropriate.
That's the minimal-disruption solution I imagine which would allow safety-conscious distributions and site administrators to force-enable at build time, if they judge that the consequential pain (where people have to add http://
to some scripts if that's what they need) is worthwhile for broader security for their users.
As things stand, people out there on the internet still post bash <(curl -L trustworthy-site.com)
commands for others to paste into their terminal, overlooking that while they may trust the site, curl's default behaviour opens this up to downgrade attacks and the code they run may well turn out to be malicious.
Even if it's off by default just having the option is an important first step. Having the option raises awareness.
from curl.
I don't agree that it is dangerous. If you don't select a secure protocol then that's what happens. I like Dan's suggestion to use --proto-default in curlrc to force it to https.
from curl.
I mean.... somewhere low down on the first page of search results for 'curl pipe bash' I find this: https://www.arp242.net/curl-to-sh.html
Man-in-the-middle attacks: this is only a problem “if the developers omit the usage of TLS”, as the article already mentions. This is increasingly rare, and all of the cited examples use TLS.
They say that omission of TLS is "increasingly rare", but the syntax they give in their own example is: curl example.com/install.sh | sh
which omits TLS because of the way curl behaves.
"Working the way you should have expected" is not the same as safe.
Just saying... 🤷
from curl.
Related Issues (20)
- Potential integer overflow in Curl_timediff, Curl_timediff_ceil, Curl_timediff_us HOT 3
- HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1) HOT 4
- Dropped --ftp-ssl HOT 2
- curl CLI cannot take credentials from Windows Credential Manager HOT 4
- CURLE_WRITE_ERROR with specially crafted headers HOT 4
- Duplicate symbols when compiling for wasm with emscripten HOT 4
- Torture test failure in test 56 HOT 1
- curl crashed in ConnectionExists? HOT 2
- Curl tries to generate shell completions even when --without-*-functions-dir is given HOT 5
- cmake does not build curl.1 HOT 16
- curl using cmake on arm32 systems build error -Werror=cast-align HOT 21
- CURLE_RECV_ERROR when the SSL server closes the connection immediately after data HOT 10
- Current curl-win64-mingw binaries do no longer contain SSPI HOT 7
- Download file from FTP with space HOT 2
- aws-sigv4 request signature does not match expected value HOT 11
- Curl doesn't POST full text file if it contains old Mac-style `CR` line endings HOT 3
- `Curl_resolver_init` is not thread-safe HOT 7
- Report of ip & port number after entering passive ftp mode HOT 2
- Socket gets closed twice when connection is dead HOT 12
- Curl hangs with HTTP 2.0 request HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from curl.