From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 May 2022 06:50:10 +0000 (+0200)
Subject: SECURITY-PROCESS: mention "URL inconsistencies"
X-Git-Tag: curl-7_83_1~42
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0d015fb3f6f49bb54c08234aeecc962d92adb8ff;p=thirdparty%2Fcurl.git

SECURITY-PROCESS: mention "URL inconsistencies"

... as common problems that are *not* vulns.
---

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 345d98ff72..f6e0d31b63 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -188,3 +188,12 @@ already do much worse harm and the problem is not really in curl.
 Vulnerabilities in features which are off by default (in the build) and
 documented as experimental, are not eligible for a reward and we do not
 consider them security problems.
+
+## URL inconsistencies
+
+URL parser inconsistencies between browsers and curl are expected and are not
+considered security vulnerabilities. The WHATWG URL Specification and RFC
+3986+ (the plus meaning that it is an extended version) [are not completely
+interoperable](https://github.com/bagder/docs/blob/master/URL-interop.md).
+
+Obvious parser bugs can still be vulnerabilities of course.