On Mon, Mar 16, 2020 at 3:19 AM Daniel Stenberg via curl-library <curl-library@cool.haxx.se> wrote: > > This is a general note and warning to users of curl and libcurl running on > Windows and using FILE:// transfers. > > The Windows operating system will automatically, and without any way for > applications to disable it, try to establish a connection to another host over > the network and access it (over SMB or other protocols), if only the correct > file path is accessed. > > When first realizing this, the curl team tried to filter out such attempts in > order to protect applications for inadvertent probes of for example internal > networks etc. This resulted in CVE-2019-15601 and the associated security fix. > ... > The conclusion we have come to is that this is a weakness or feature in the > Windows operating system itself, that we as an application cannot safely > protect users against. It would just be a whack-a-mole race we don't want to > participate in. There are too many ways to do it and there's no knob we can > use to turn off the practice.
Yes, the feature is baked into the Windows network redirector. If it is a bug, then it is a Microsoft redirector bug, not a cURL bug. How did someone manage to get CVE-2019-15601 assigned to cURL for this? More useless crap from snake oil firms? Jeff ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
