Added section on server-supplied names to security considerations

author Dan Fandrich <dan@coneharvesters.com>

Tue, 12 Oct 2010 18:22:18 +0000 (11:22 -0700)

committer Dan Fandrich <dan@coneharvesters.com>

Tue, 12 Oct 2010 18:22:18 +0000 (11:22 -0700)
author Dan Fandrich <dan@coneharvesters.com>
Tue, 12 Oct 2010 18:22:18 +0000 (11:22 -0700)
committer Dan Fandrich <dan@coneharvesters.com>
Tue, 12 Oct 2010 18:22:18 +0000 (11:22 -0700)
diff --git a/docs/libcurl/libcurl-tutorial.3 b/docs/libcurl/libcurl-tutorial.3

index 236eba05645b7a6b77103a04901d39a3d62ec952..72f002963a3a3b372defb897e7e2d7076c0bfefa 100644 (file)
--- a/docs/libcurl/libcurl-tutorial.3
+++ b/docs/libcurl/libcurl-tutorial.3
@@ -1237,6 +1237,15 @@ are used to generate structured data. Characters like embedded carriage
  returns or ampersands could allow the user to create additional headers or
  fields that could cause malicious transactions.
  
+.IP "Server-supplied Names"
+A server can supply data which the application may, in some cases, use as
+a file name. The curl command-line tool does this with --remote-header-name,
+using the Content-disposition: header to generate a file name.  An application
+could also use CURLINFO_EFFECTIVE_URL to generate a file name from a
+server-supplied redirect URL. Special care must be taken to sanitize such
+names to avoid the possibility of a malicious server supplying one like
+"/etc/passwd", "\autoexec.bat" or even ".bashrc".
+
  .IP "Server Certificates"
  A secure application should never use the CURLOPT_SSL_VERIFYPEER option to
  disable certificate validation. There are numerous attacks that are enabled
author	Dan Fandrich <dan@coneharvesters.com>
	Tue, 12 Oct 2010 18:22:18 +0000 (11:22 -0700)
committer	Dan Fandrich <dan@coneharvesters.com>
	Tue, 12 Oct 2010 18:22:18 +0000 (11:22 -0700)