On Thu, Mar 12, 2009 at 12:39 PM, Niki <user@xxxxxxxxxxxxxx> wrote: > Jochem Maas ha scritto: >> >> essentially, yes. note that if someone can upload a script and run it, a >> bug in curl in the least of your worries. you have already been owned. > > Yes, obviously. :D I agree with you. :) > >> >> the curl issue is more pertinent to situations where one is using curl >> with CURLOPT_FOLLOWLOCATION (which seems like you'd want to use it >> normally) >> and an attacker has some idea about how to be on the receiving end of the >> curl call ... there by allowing them to make your curl call eat some nasty >> url >> (which may cause you to disclose sensitive info the the callee, that was >> intended, >> for example, for a ligitemate webservice ... at least that's the way I >> understand it (hopefully someone will correct me if I've got my wires >> crossed) > > I'm not so sure that I've understood... The attack could be successful when > libcurl extension is activated and there a php page on the server that > accepts an URL from the client passing it to cURL function. Is it correct? > If so, I think this could be considered only as an example of awful > programming. Isn't it? > > >> >> P.S. please use a valid email address. > > I never use valid e-mail address in order to protect me from spam. If there > is a sort of "manifesto" that users must follow to send messages here I will > surely specify my true e-mail address. > > Thank you very much again! ;) > Not a "manifesto", but the standard advice given to people who post to this list is to use Reply-All when replying to the list. If your address is invalid, people will have to manually remove it from the list of recipients or else they will get a bounce response when it tries to send to your user@xxxxxxxxxxxxxx address. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
