libcurl-security.3: separate file:// section

author Daniel Stenberg <daniel@haxx.se>

Tue, 13 Feb 2018 13:04:04 +0000 (14:04 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 13 Feb 2018 13:04:04 +0000 (14:04 +0100)
author Daniel Stenberg <daniel@haxx.se>
Tue, 13 Feb 2018 13:04:04 +0000 (14:04 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 13 Feb 2018 13:04:04 +0000 (14:04 +0100)
diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3

index 185fb6b0889910ce3d007ca2d7b8ba4d615cb933..377301ee075ce285a52aa385c1216ce84778b44f 100644 (file)
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -208,6 +208,13 @@ of how the SCP protocol is designed. e.g.
  
  Applications must not allow unsanitized SCP: URLs to be passed in for
  downloads.
+.SH "file://"
+By default curl and libcurl support file:// URLs. Such a URL is always an
+access, or attempted access, to a local resource. If your application wants to
+avoid that, keep control of what URLs to use and/or prevent curl/libcurl from
+using the protocol.
+
+By default, libcurl prohibits redirects to file:// URLs.
  .SH "What if the user can set the URL"
  Applications may find it tempting to let users set the URL that it can work
  on. That's probably fine, but opens up for mischief and trickery that you as
author	Daniel Stenberg <daniel@haxx.se>
	Tue, 13 Feb 2018 13:04:04 +0000 (14:04 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 13 Feb 2018 13:04:04 +0000 (14:04 +0100)