alternately instead of restriction we could warn people better with just more log messages with a warning log level and maybe --warning switch.
Jim Fuller On Mon, 14 Jan 2019 at 11:31, Daniel Stenberg via curl-library <curl-library@cool.haxx.se> wrote: > > On Mon, 14 Jan 2019, Mischa Salle via curl-library wrote: > > > Hmm, not sure this would add very much, but on the other hand could indeed > > as Ray points out break things in unexpected ways and make life in general > > more complicated. > > Sure, users who'd decide to restrict curl would probably get it "more > complicated" in some ways but that's by choice and that also saves them from > using applications/scripts in ways they don't approve of. A complication that > brings benefits. > > If you don't care (which I assume most people won't), you don't set anything > and then there's nothing extra! > > > If you want to add policies, I think you will be needing more than a simple > > env variable, i.e. something like a config file. > > The problem with a config file is that it then becomes set for all curl > invokes and not just the one from a specific shell, which an environment > variable would do. I would also imagine that restricting curl like this would > be something often done to test and experiment first and then you really don't > want to affect any other scripts than the particular one you want to try out > right now. > > Also suggested a environment variable because it is easy to play with from a > user's stand-point. > > > In any case you need the cooperation of the script/program calling > > curl as it would be trivial to circumvent (declare -r doesn't help). > > Why would a script/application author actively work against this? I don't > understand what motivations such developers would have. I mean the typical > well-meaning ones, not the rare malicious or misinformed developers who I of > course acknowledge exist but I think is a very small minority. > > A developer who wants a script or program to run and use an insecure protocol > for example, they do that for a reason as they perhaps only have access to a > service over that protocol. Why would they try to trick their users into > believing they're not using those insecure protocols? > > Maybe I'm just too much of an optimist! =) > > -- > > / daniel.haxx.se > ------------------------------------------------------------------- > Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library > Etiquette: https://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
