libcurl/opts: do not save files in dirs where attackers have access

libcurl cannot fully protect against attacks where an attacker has write
access to the same directory where it is directed to save files. This is
particularly sensitive if you save files using elevated privileges.

Previously only mentioned in VULN-DISCLOSURE-POLICY.md.

Highlighted-by: Donguk Kim
Closes #16051

diff --git a/docs/libcurl/opts/CURLOPT_ALTSVC.md b/docs/libcurl/opts/CURLOPT_ALTSVC.md
index 30f61162dfc72e6925692bf1a32c6e0c54208d82..802affd14aab3948b935ac17d107585f219d8269 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_ALTSVC.md
+++ b/docs/libcurl/opts/CURLOPT_ALTSVC.md
@@ -41,6 +41,12 @@ option.
 Using this option multiple times makes the last set string override the
 previous ones. Set it to NULL to disable its use again.
 
+# SECURITY CONCERNS
+
+libcurl cannot fully protect against attacks where an attacker has write
+access to the same directory where it is directed to save files. This is
+particularly sensitive if you save files using elevated privileges.
+
 # DEFAULT
 
 NULL. The alt-svc cache is not read nor written to file.

diff --git a/docs/libcurl/opts/CURLOPT_COOKIEFILE.md b/docs/libcurl/opts/CURLOPT_COOKIEFILE.md
index 0da461eb8801bae11a9bdea9b1f0fe9320410aee..676d7285526018dc6d3b828349d5af5a87b60fb3 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_COOKIEFILE.md
+++ b/docs/libcurl/opts/CURLOPT_COOKIEFILE.md
@@ -55,7 +55,7 @@ If you use this option multiple times, you add more files to read cookies
 from. Setting this option to NULL disables the cookie engine and clears the
 list of files to read cookies from.
 
-# SECURITY
+# SECURITY CONCERNS
 
 This document previously mentioned how specifying a non-existing file can also
 enable the cookie engine. While true, we strongly advise against using that

diff --git a/docs/libcurl/opts/CURLOPT_COOKIEJAR.md b/docs/libcurl/opts/CURLOPT_COOKIEJAR.md
index 3d047d7284714548e2383af2b18dfcb77e47b461..646972792efe0e094a85fe7e0198ccda8d753ffd 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_COOKIEJAR.md
+++ b/docs/libcurl/opts/CURLOPT_COOKIEJAR.md
@@ -52,6 +52,12 @@ option.
 Using this option multiple times makes the last set string override the
 previous ones. Set it to NULL to disable its use again.
 
+# SECURITY CONCERNS
+
+libcurl cannot fully protect against attacks where an attacker has write
+access to the same directory where it is directed to save files. This is
+particularly sensitive if you save files using elevated privileges.
+
 # DEFAULT
 
 NULL

diff --git a/docs/libcurl/opts/CURLOPT_HSTS.md b/docs/libcurl/opts/CURLOPT_HSTS.md
index 010e6b8e0cb47a24396da1eface3bc34a9edf572..79665d0a5c1e729d2ec7928c206aff25d3ef336e 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_HSTS.md
+++ b/docs/libcurl/opts/CURLOPT_HSTS.md
@@ -61,6 +61,12 @@ currently no length or size limit.
 
 NULL, no filename
 
+# SECURITY CONCERNS
+
+libcurl cannot fully protect against attacks where an attacker has write
+access to the same directory where it is directed to save files. This is
+particularly sensitive if you save files using elevated privileges.
+
 # %PROTOCOLS%
 
 # EXAMPLE