romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-18 06:26:20 +03:00
Code Issues Projects Releases Packages Wiki Activity

SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline

Browse source 
Closes #11757
This commit is contained in:
Daniel Stenberg 2023-08-29 13:24:06 +02:00
parent 748da39b94
commit 86bbb57e31
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
docs/SECURITY-PROCESS.md
View file

@ -274,3 +274,12 @@ do not consider it a security problem.
curl cannot protect against attacks where an attacker has write access to the
same directory where curl is directed to save files.
## Tricking a user to run a command line
A creative, misleading or funny looking command line is not a security
problem. The curl command line tool takes options and URLs on the command line
and if an attacker can trick the user to run a specifically crafted curl
command line, all bets are off. Such an attacker can just as well have the
user run a much worse command that can do something fatal (like
`sudo rm -rf /`).