romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-15 02:31:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

SECURITY-PROCESS: mention "URL inconsistencies"

Browse source 
... as common problems that are *not* vulns.
This commit is contained in:
Daniel Stenberg 2022-05-03 08:50:10 +02:00
parent 803947a1c7
commit 0d015fb3f6
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
docs/SECURITY-PROCESS.md
View file

@ -188,3 +188,12 @@ already do much worse harm and the problem is not really in curl.
Vulnerabilities in features which are off by default (in the build) and
documented as experimental, are not eligible for a reward and we do not
consider them security problems.
## URL inconsistencies
URL parser inconsistencies between browsers and curl are expected and are not
considered security vulnerabilities. The WHATWG URL Specification and RFC
3986+ (the plus meaning that it is an extended version) [are not completely
interoperable](https://github.com/bagder/docs/blob/master/URL-interop.md).
Obvious parser bugs can still be vulnerabilities of course.