docs: mention critical files in same directories as curl saves

... cannot be fully protected. Don't do it.

Co-authored-by: Jay Satiro
Reported-by: Harry Sintonen
Fixes #11530
Closes #11701

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 64123edd451bc807bff4ab46ce3e5126e2a3d05d..4a06a84e2ad1ed545bf432a56b4f3a09e51b3df9 100644 (file)
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -269,3 +269,8 @@ timeout value or otherwise) are not considered security problems. Applications
 are supposed to already handle situations when the transfer loop legitimately
 consumes 100% CPU time, so while a prolonged such busy-loop is a nasty bug, we
 do not consider it a security problem.
+
+## Saving files
+
+curl cannot protect against attacks where an attacker has write access to the
+same directory where curl is directed to save files.

diff --git a/docs/libcurl/libcurl-security.3 b/docs/libcurl/libcurl-security.3
index e95bb6ecc440596ff397a5d223fe80e555cb9f3a..0bc056c5fb8e8e0ce4ed9d7e5c655adbe59f6a3e 100644 (file)
--- a/docs/libcurl/libcurl-security.3
+++ b/docs/libcurl/libcurl-security.3
@@ -417,6 +417,9 @@ core dump file, such data might be accessible.
 Further, when eventually closing a handle and the secrets are no longer
 needed, libcurl does not explicitly clear memory before freeing it, so
 credentials may be left in freed data.
+.SH "Saving files"
+libcurl cannot protect against attacks where an attacker has write access to
+the same directory where libcurl is directed to save files.
 .SH "Report Security Problems"
 Should you detect or just suspect a security problem in libcurl or curl,
 contact the project curl security team immediately. See