> > With the addition of CURLOPT_PREREQFUNCTION, one could write a callback > > function to selectively block requests to certain IP/port ranges. This is > > great, and I think it comes handy when trying to prevent SSRF > > vulnerabilities by blocking the request if it directs to an IP address that > > is reserved or private. > > Isn't the solution to this, and a remedy to many other attacks at the same > time, rather to use a secure protocol? If you use a TLS or SSH based protocol, > it doesn't matter if someone manages to trick curl to connect to the wrong > address as it won't survive the handshake anyway! >
Thanks a lot for the quick response. You are right that the handshake would indeed fail under a secure protocol, and Curl does a fantastic job at that. My particular use case is an FTP and HTTP ingestion server where TV reporters submit their videos, where they submit a URL, and the server ingests it at a maximum speed configured internally. I couldn't think of a way to prevent someone from simply submitting an internal firewalled URL, because Curl would be allowed to fetch the files from the private IP address anyway. Using plain FTP is a bad idea from the get-go, I totally agree. However, I thought a feature like this could be helpful to many users as an additional precautionary measure for those who can't use a protocol that validates the host name. Thank you, Ayesh. -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
