From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 29 Aug 2023 11:24:06 +0000 (+0200)
Subject: SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline
X-Git-Tag: curl-8_3_0~86
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86bbb57e3111faaf99586ea5a42b8acafb003625;p=thirdparty%2Fcurl.git

SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline

Closes #11757
---

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 4a06a84e2a..a4cda248cf 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -274,3 +274,12 @@ do not consider it a security problem.
 
 curl cannot protect against attacks where an attacker has write access to the
 same directory where curl is directed to save files.
+
+## Tricking a user to run a command line
+
+A creative, misleading or funny looking command line is not a security
+problem. The curl command line tool takes options and URLs on the command line
+and if an attacker can trick the user to run a specifically crafted curl
+command line, all bets are off. Such an attacker can just as well have the
+user run a much worse command that can do something fatal (like
+`sudo rm -rf /`).