982
985
parser is enabled the cookies will be understood and the cookies will be kept
983
986
in memory and used properly in subsequent requests when the same handle is
984
987
used. Many times this is enough, and you may not have to save the cookies to
985
disk at all. Note that the file you specify to CURLOPT_COOKIEFILE doesn't
986
have to exist to enable the parser, so a common way to just enable the parser
987
and not read able might be to use a file name you know doesn't exist.
988
disk at all. Note that the file you specify to CURLOPT_COOKIEFILE doesn't have
989
to exist to enable the parser, so a common way to just enable the parser and
990
not read any cookies is to use the name of a file you know doesn't exist.
989
If you rather use existing cookies that you've previously received with your
990
Netscape or Mozilla browsers, you can make libcurl use that cookie file as
991
input. The CURLOPT_COOKIEFILE is used for that too, as libcurl will
992
If you would rather use existing cookies that you've previously received with
993
your Netscape or Mozilla browsers, you can make libcurl use that cookie file
994
as input. The CURLOPT_COOKIEFILE is used for that too, as libcurl will
992
995
automatically find out what kind of file it is and act accordingly.
994
The perhaps most advanced cookie operation libcurl offers, is saving the
997
Perhaps the most advanced cookie operation libcurl offers, is saving the
995
998
entire internal cookie state back into a Netscape/Mozilla formatted cookie
996
999
file. We call that the cookie-jar. When you set a file name with
997
1000
CURLOPT_COOKIEJAR, that file name will be created and all received cookies
998
will be stored in it when \fIcurl_easy_cleanup(3)\fP is called. This enabled
1001
will be stored in it when \fIcurl_easy_cleanup(3)\fP is called. This enables
999
1002
cookies to get passed on properly between multiple handles without any
1000
1003
information getting lost.
1060
1063
.SH "Security Considerations"
1062
libcurl is in itself not insecure. If used the right way, you can use libcurl
1063
to transfer data pretty safely.
1065
The libcurl project takes security seriously. The library is written with
1066
caution and precautions are taken to mitigate many kinds of risks encountered
1067
while operating with potentially malicious servers on the Internet. It is a
1068
powerful library, however, which allows application writers to make trade offs
1069
between ease of writing and exposure to potential risky operations. If
1070
used the right way, you can use libcurl to transfer data pretty safely.
1065
There are of course many things to consider that may loosen up this
1072
Many applications are used in closed networks where users and servers
1073
can be trusted, but many others are used on arbitrary servers and are fed
1074
input from potentially untrusted users. Following is a discussion about
1075
some risks in the ways in which applications commonly use libcurl and
1076
potential mitigations of those risks. It is by no means comprehensive, but
1077
shows classes of attacks that robust applications should consider. The
1078
Common Weakness Enumeration project at http://cwe.mitre.org/ is a good
1079
reference for many of these and similar types of weaknesses of which
1080
application writers should be aware.
1068
1082
.IP "Command Lines"
1069
1083
If you use a command line tool (such as curl) that uses libcurl, and you give
1070
option to the tool on the command line those options can very likely get read
1084
options to the tool on the command line those options can very likely get read
1071
1085
by other users of your system when they use 'ps' or other tools to list
1072
1086
currently running processes.
1074
1088
To avoid this problem, never feed sensitive things to programs using command
1089
line options. Write them to a protected file and use the \-K option to
1078
1093
\&.netrc is a pretty handy file/feature that allows you to login quickly and
1088
1103
.IP "Clear Text Passwords"
1089
1104
Many of the protocols libcurl supports send name and password unencrypted as
1090
1105
clear text (HTTP Basic authentication, FTP, TELNET etc). It is very easy for
1091
anyone on your network or a network nearby yours, to just fire up a network
1106
anyone on your network or a network nearby yours to just fire up a network
1092
1107
analyzer tool and eavesdrop on your passwords. Don't let the fact that HTTP
1093
uses base64 encoded passwords fool you. They may not look readable at a first
1094
glance, but they very easily "deciphered" by anyone within seconds.
1096
To avoid this problem, use protocols that don't let snoopers see your
1097
password: HTTPS, FTPS and FTP-kerberos are a few examples. HTTP Digest
1098
authentication allows this too, but isn't supported by libcurl as of this
1108
Basic uses base64 encoded passwords fool you. They may not look readable at a
1109
first glance, but they very easily "deciphered" by anyone within seconds.
1111
To avoid this problem, use HTTP authentication methods or other protocols that
1112
don't let snoopers see your password: HTTP with Digest, NTLM or GSS
1113
authentication, HTTPS, FTPS, SCP, SFTP and FTP-Kerberos are a few examples.
1116
The CURLOPT_FOLLOWLOCATION option automatically follows HTTP redirects sent
1117
by a remote server. These redirects can refer to any kind of URL, not just
1118
HTTP. A redirect to a file: URL would cause the libcurl to read (or write)
1119
arbitrary files from the local filesystem. If the application returns
1120
the data back to the user (as would happen in some kinds of CGI scripts),
1121
an attacker could leverage this to read otherwise forbidden data (e.g.
1122
file://localhost/etc/passwd).
1124
If authentication credentials are stored in the ~/.netrc file, or Kerberos
1125
is in use, any other URL type (not just file:) that requires
1126
authentication is also at risk. A redirect such as
1127
ftp://some-internal-server/private-file would then return data even when
1128
the server is password protected.
1130
In the same way, if an unencrypted SSH private key has been configured for
1131
the user running the libcurl application, SCP: or SFTP: URLs could access
1132
password or private-key protected resources,
1133
e.g. sftp://user@some-internal-server/etc/passwd
1135
The CURLOPT_REDIR_PROTOCOLS and CURLOPT_NETRC options can be used to
1136
mitigate against this kind of attack.
1138
A redirect can also specify a location available only on the machine running
1139
libcurl, including servers hidden behind a firewall from the attacker.
1140
e.g. http://127.0.0.1/ or http://intranet/delete-stuff.cgi?delete=all or
1141
tftp://bootp-server/pc-config-data
1143
Apps can mitigate against this by disabling CURLOPT_FOLLOWLOCATION and
1144
handling redirects itself, sanitizing URLs as necessary. Alternately, an
1145
app could leave CURLOPT_FOLLOWLOCATION enabled but set CURLOPT_REDIR_PROTOCOLS
1146
and install a CURLOPT_OPENSOCKETFUNCTION callback function in which addresses
1147
are sanitized before use.
1149
.IP "Private Resources"
1150
A user who can control the DNS server of a domain being passed in within
1151
a URL can change the address of the host to a local, private address
1152
which the libcurl application will then use. e.g. The innocuous URL
1153
http://fuzzybunnies.example.com/ could actually resolve to the IP address
1154
of a server behind a firewall, such as 127.0.0.1 or 10.1.2.3
1155
Apps can mitigate against this by setting a CURLOPT_OPENSOCKETFUNCTION
1156
and checking the address before a connection.
1158
All the malicious scenarios regarding redirected URLs apply just as well
1159
to non-redirected URLs, if the user is allowed to specify an arbitrary URL
1160
that could point to a private resource. For example, a web app providing
1161
a translation service might happily translate file://localhost/etc/passwd
1162
and display the result. Apps can mitigate against this with the
1163
CURLOPT_PROTOCOLS option as well as by similar mitigation techniques for
1166
A malicious FTP server could in response to the PASV command return an
1167
IP address and port number for a server local to the app running libcurl
1168
but behind a firewall. Apps can mitigate against this by using the
1169
CURLOPT_FTP_SKIP_PASV_IP option or CURLOPT_FTPPORT.
1172
When uploading, a redirect can cause a local (or remote) file to be
1173
overwritten. Apps must not allow any unsanitized URL to be passed in
1174
for uploads. Also, CURLOPT_FOLLOWLOCATION should not be used on uploads.
1175
Instead, the app should handle redirects itself, sanitizing each URL first.
1178
Use of CURLOPT_UNRESTRICTED_AUTH could cause authentication information to
1179
be sent to an unknown second server. Apps can mitigate against this
1180
by disabling CURLOPT_FOLLOWLOCATION and handling redirects itself,
1181
sanitizing where necessary.
1183
Use of the CURLAUTH_ANY option to CURLOPT_HTTPAUTH could result in user
1184
name and password being sent in clear text to an HTTP server. Instead,
1185
use CURLAUTH_ANYSAFE which ensures that the password is encrypted over
1186
the network, or else fail the request.
1188
Use of the CURLUSESSL_TRY option to CURLOPT_USE_SSL could result in user
1189
name and password being sent in clear text to an FTP server. Instead,
1190
use CURLUSESSL_CONTROL to ensure that an encrypted connection is used or
1191
else fail the request.
1194
If cookies are enabled and cached, then a user could craft a URL which
1195
performs some malicious action to a site whose authentication is already
1196
stored in a cookie. e.g. http://mail.example.com/delete-stuff.cgi?delete=all
1197
Apps can mitigate against this by disabling cookies or clearing them
1200
.IP "Dangerous URLs"
1201
SCP URLs can contain raw commands within the scp: URL, which is a side effect
1202
of how the SCP protocol is designed. e.g.
1203
scp://user:pass@host/a;date >/tmp/test;
1204
Apps must not allow unsanitized SCP: URLs to be passed in for downloads.
1206
.IP "Denial of Service"
1207
A malicious server could cause libcurl to effectively hang by sending
1208
a trickle of data through, or even no data at all but just keeping the TCP
1209
connection open. This could result in a denial-of-service attack. The
1210
CURLOPT_TIMEOUT and/or CURLOPT_LOW_SPEED_LIMIT options can be used to
1211
mitigate against this.
1213
A malicious server could cause libcurl to effectively hang by starting to
1214
send data, then severing the connection without cleanly closing the
1215
TCP connection. The app could install a CURLOPT_SOCKOPTFUNCTION callback
1216
function and set the TCP SO_KEEPALIVE option to mitigate against this.
1217
Setting one of the timeout options would also work against this attack.
1219
A malicious server could cause libcurl to download an infinite amount of
1220
data, potentially causing all of memory or disk to be filled. Setting
1221
the CURLOPT_MAXFILESIZE_LARGE option is not sufficient to guard against this.
1222
Instead, the app should monitor the amount of data received within the
1223
write or progress callback and abort once the limit is reached.
1225
A malicious HTTP server could cause an infinite redirection loop, causing a
1226
denial-of-service. This can be mitigated by using the CURLOPT_MAXREDIRS
1229
.IP "Arbitrary Headers"
1230
User-supplied data must be sanitized when used in options like
1231
CURLOPT_USERAGENT, CURLOPT_HTTPHEADER, CURLOPT_POSTFIELDS and others that
1232
are used to generate structured data. Characters like embedded carriage
1233
returns or ampersands could allow the user to create additional headers or
1234
fields that could cause malicious transactions.
1236
.IP "Server Certificates"
1237
A secure application should never use the CURLOPT_SSL_VERIFYPEER option to
1238
disable certificate validation. There are numerous attacks that are enabled
1239
by apps that fail to properly validate server TLS/SSL certificates,
1240
thus enabling a malicious server to spoof a legitimate one. HTTPS without
1241
validated certificates is potentially as insecure as a plain HTTP connection.
1101
1243
.IP "Showing What You Do"
1102
1244
On a related issue, be aware that even in situations like when you have
1103
1245
problems with libcurl and ask someone for help, everything you reveal in order
1104
1246
to get best possible help might also impose certain security related
1105
risks. Host names, user names, paths, operating system specifics etc (not to
1247
risks. Host names, user names, paths, operating system specifics, etc (not to
1106
1248
mention passwords of course) may in fact be used by intruders to gain
1107
1249
additional information of a potential target.