On Thu, Jan 10, 2019 at 2:56 PM bch <brad.har...@gmail.com> wrote: > > > On Thu, Jan 10, 2019 at 2:30 PM Daniel Stenberg via curl-library < > curl-library@cool.haxx.se> wrote: > >> Hey, >> >> I want to test an idea on you all before I proceed and do anything else >> with >> it. I need your input, your critique and perhaps your suggestions on how >> to >> make into an awesome idea. >> >> The problem >> >> You - as a user - run programs and scripts that themselves use libcurl >> or >> just the command line curl, in ways that you don't approve of. Even if >> the >> program or script was written to do use that feature. >> >> The solution >> >> The all new `CURL_INHIBIT` environment variable, that is parsed by >> libcurl >> and can be used to make libcurl avoid certain behaviors. >> >> Using this, you can voluntary raise the bar for what's accepted, to >> prevent >> scripts and programs from for example using insecure protocols etc. >> >> The variable should contain a comma-separated list of named >> restrictions. The >> restrictions available are listed below, but other ones may be added in >> later >> libcurl versions (and older may be removed). Unknown or just misspelled >> restrictions will be silently ignored. >> >> Restrictions should be named to identify what is *inhibited* by it. >> > > > I’m only parking this all quickly, but: >
*parsing this all quickly... > Consider > > 1) having a diagnostic-requesting env var that perhaps dumps state of what > cURL was trying to do > > 2) whitelisting *allowances* instead of blacklisting denials > > -bch > > > >> The general idea here is that applications and scripts using curl can't >> change or work around restrictions set in this variable! >> >> Restrictions >> >> Here are three that I immediately came to think of. I'd be interested in >> adding others to the list if you can think of some! >> >> 'clear-text' >> >> When set, this will make libcurl avoid downloads over clear-text >> connections. >> The transfer MUST be encrypted or trigger an error (`CURLE_INIHIBITED`). >> >> 'user-in-url' >> >> When set, this is the equivalent of the application setting the >> `CURLOPT_DISALLOW_USERNAME_IN_URL` option. It will prevent libcurl from >> accepting URLs with embedded user names. >> >> 'insecure-https' >> >> When set, this will make transfers that are attempted with server >> certificate >> validation disabled to fail. >> >> Anything you think you would ever use and appreciate? >> >> -- >> >> / daniel.haxx.se >> ------------------------------------------------------------------- >> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library >> Etiquette: https://curl.haxx.se/mail/etiquette.html > >
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
