Sortix cross-nightly manual
This manual documents Sortix cross-nightly. You can instead view this document in the latest official manual.
libcurl-security(3) | Library Functions Manual | libcurl-security(3) |
NAME
libcurl-security - security considerations when using libcurlSecurity
The libcurl project takes security seriously. The library is written with caution and precautions are taken to mitigate many kinds of risks encountered while operating with potentially malicious servers on the Internet. It is a powerful library, however, which allows application writers to make trade-offs between ease of writing and exposure to potential risky operations. If used the right way, you can use libcurl to transfer data pretty safely.Command Lines
If you use a command line tool (such as curl) that uses libcurl, and you give options to the tool on the command line those options can get read by other users of your system when they use ps or other tools to list currently running processes..netrc
.netrc is a pretty handy file/feature that allows you to login quickly and automatically to frequently visited sites. The file contains passwords in clear text and is a real security risk. In some cases, your .netrc is also stored in a home directory that is NFS mounted or used on another network based file system, so the clear text password flies through your network every time anyone reads that file.Clear Text Passwords
Many of the protocols libcurl supports send name and password unencrypted as clear text (HTTP Basic authentication, FTP, TELNET etc). It is easy for anyone on your network or a network nearby yours to just fire up a network analyzer tool and eavesdrop on your passwords. Do not let the fact that HTTP Basic uses base64 encoded passwords fool you. They may not look readable at a first glance, but they are easily "deciphered" by anyone within seconds.Unauthenticated Connections
Protocols that do not have any form of cryptographic authentication cannot with any certainty know that they communicate with the right remote server.- Restrict operations to authenticated transfers
- Use authenticated protocols protected with HTTPS or SSH.
- Make sure the server's certificate etc is verified
- Never ever switch off certificate verification.
Redirects
The CURLOPT_FOLLOWLOCATION(3) option automatically follows HTTP redirects sent by a remote server. These redirects can refer to any kind of URL, not just HTTP. libcurl restricts the protocols allowed to be used in redirects for security reasons: only HTTP, HTTPS, FTP and FTPS are enabled by default. Applications may opt to restrict that set further.CRLF in Headers
For all options in libcurl which specify headers, including but not limited to CURLOPT_HTTPHEADER(3), CURLOPT_PROXYHEADER(3), CURLOPT_COOKIE(3), CURLOPT_USERAGENT(3), CURLOPT_REFERER(3) and CURLOPT_RANGE(3), libcurl sends the headers as-is and does not apply any special sanitation or normalization to them.Local Resources
A user who can control the DNS server of a domain being passed in within a URL can change the address of the host to a local, private address which a server-side libcurl-using application could then use. E.g. the innocuous URL http://fuzzybunnies.example.com/ could actually resolve to the IP address of a server behind a firewall, such as 127.0.0.1 or 10.1.2.3. Applications can mitigate against this by setting a CURLOPT_OPENSOCKETFUNCTION(3) or CURLOPT_PREREQFUNCTION(3) and checking the address before a connection.IPv4 Addresses
Some users might be tempted to filter access to local resources or similar based on numerical IPv4 addresses used in URLs. This is a bad and error-prone idea because of the many different ways a numerical IPv4 address can be specified and libcurl accepts: one to four dot-separated fields using one of or a mix of decimal, octal or hexadecimal encoding.IPv6 Addresses
libcurl handles IPv6 addresses transparently and just as easily as IPv4 addresses. That means that a sanitizing function that filters out addresses like 127.0.0.1 is not sufficient - the equivalent IPv6 addresses ::1, ::, 0:00::0:1, ::127.0.0.1 and ::ffff:7f00:1 supplied somehow by an attacker would all bypass a naive filter and could allow access to undesired local resources. IPv6 also has special address blocks like link-local and site-local that generally should not be accessed by a server-side libcurl-using application. A poorly configured firewall installed in a data center, organization or server may also be configured to limit IPv4 connections but leave IPv6 connections wide open. In some cases, setting CURLOPT_IPRESOLVE(3) to CURL_IPRESOLVE_V4 can be used to limit resolved addresses to IPv4 only and bypass these issues.Uploads
When uploading, a redirect can cause a local (or remote) file to be overwritten. Applications must not allow any unsanitized URL to be passed in for uploads. Also, CURLOPT_FOLLOWLOCATION(3) should not be used on uploads. Instead, the applications should consider handling redirects itself, sanitizing each URL first.Authentication
Use of CURLOPT_UNRESTRICTED_AUTH(3) could cause authentication information to be sent to an unknown second server. Applications can mitigate against this by disabling CURLOPT_FOLLOWLOCATION(3) and handling redirects itself, sanitizing where necessary.Cookies
If cookies are enabled and cached, then a user could craft a URL which performs some malicious action to a site whose authentication is already stored in a cookie. E.g. http://mail.example.com/delete-stuff.cgi?delete=all Applications can mitigate against this by disabling cookies or clearing them between requests.Dangerous SCP URLs
SCP URLs can contain raw commands within the scp: URL, which is a side effect of how the SCP protocol is designed. E.g.scp://user:pass@host/a;date >/tmp/test;
Applications must not allow unsanitized SCP: URLs to be passed in for downloads.
file://
By default curl and libcurl support file:// URLs. Such a URL is always an access, or attempted access, to a local resource. If your application wants to avoid that, keep control of what URLs to use and/or prevent curl/libcurl from using the protocol.Warning: file:// on Windows
The Windows operating system tries automatically, and without any way for applications to disable it, to establish a connection to another host over the network and access it (over SMB or other protocols), if only the correct file path is accessed.What if the user can set the URL
Applications may find it tempting to let users set the URL that it can work on. That is probably fine, but opens up for mischief and trickery that you as an application author may want to address or take precautions against.- Use --proto
- curl command lines can use --proto to limit what URL schemes it accepts
- Use CURLOPT_PROTOCOLS_STR
- libcurl programs can use CURLOPT_PROTOCOLS_STR(3) to limit what URL schemes it accepts
- consider not allowing the user to set the full URL
- Maybe just let the user provide data for parts of it? Or maybe filter input to only allow specific choices?
RFC 3986 vs WHATWG URL
curl supports URLs mostly according to how they are defined in RFC 3986, and has done so since the beginning.FTP uses two connections
When performing an FTP transfer, two TCP connections are used: one for setting up the transfer and one for the actual data.Active FTP passes on the local IP address
If you use curl/libcurl to do active FTP transfers, curl passes on the address of your local IP to the remote server - even when for example using a SOCKS or HTTP proxy in between curl and the target server.Denial of Service
A malicious server could cause libcurl to effectively hang by sending data slowly, or even no data at all but just keeping the TCP connection open. This could effectively result in a denial-of-service attack. The CURLOPT_TIMEOUT(3) and/or CURLOPT_LOW_SPEED_LIMIT(3) options can be used to mitigate against this.Arbitrary Headers
User-supplied data must be sanitized when used in options like CURLOPT_USERAGENT(3), CURLOPT_HTTPHEADER(3), CURLOPT_POSTFIELDS(3) and others that are used to generate structured data. Characters like embedded carriage returns or ampersands could allow the user to create additional headers or fields that could cause malicious transactions.Server-supplied Names
A server can supply data which the application may, in some cases, use as a filename. The curl command-line tool does this with --remote-header-name, using the Content-disposition: header to generate a filename. An application could also use CURLINFO_EFFECTIVE_URL(3) to generate a filename from a server-supplied redirect URL. Special care must be taken to sanitize such names to avoid the possibility of a malicious server supplying one like "/etc/passwd", "autoexec.bat", "prn:" or even ".bashrc".Server Certificates
A secure application should never use the CURLOPT_SSL_VERIFYPEER(3) option to disable certificate validation. There are numerous attacks that are enabled by applications that fail to properly validate server TLS/SSL certificates, thus enabling a malicious server to spoof a legitimate one. HTTPS without validated certificates is potentially as insecure as a plain HTTP connection.Showing What You Do
Relatedly, be aware that in situations when you have problems with libcurl and ask someone for help, everything you reveal in order to get best possible help might also impose certain security related risks. Hostnames, usernames, paths, operating system specifics, etc. (not to mention passwords of course) may in fact be used by intruders to gain additional information of a potential target.setuid applications using libcurl
libcurl-using applications that set the 'setuid' bit to run with elevated or modified rights also implicitly give that extra power to libcurl and this should only be done after careful considerations.File descriptors, fork and NTLM
An application that uses libcurl and invokes fork() gets all file descriptors duplicated in the child process, including the ones libcurl created.Secrets in memory
When applications pass usernames, passwords or other sensitive data to libcurl to be used for upcoming transfers, those secrets are kept around as-is in memory. In many cases they are stored in the heap for as long as the handle itself for which the options are set.Saving files
libcurl cannot protect against attacks where an attacker has write access to the same directory where libcurl is directed to save files.Cookies
If libcurl is built with PSL ( Public Suffix List) support, it detects and discards cookies that are specified for such suffix domains that should not be allowed to have cookies.Report Security Problems
Should you detect or just suspect a security problem in libcurl or curl, contact the project curl security team immediately. See https://curl.se/dev/secprocess.html for details.SEE ALSO
libcurl-thread(3)2024-11-24 | libcurl |