What are the security implications of enabling redirects during uploads? The security considerations page[1] says “When uploading, a redirect can cause a local (or remote) file to be overwritten.” and mentions CURLOPT_FOLLOWLOCATION, but as of Curl 7.19.4 it is no longer possible to HTTP redirect to local files with the FILE protocol. Is the impact limited to overwriting an unexpected remote URL (on any allowed protocol)? Or if a URL is user specified, overwriting a local file?
I was doing some security research and found a small number of open source projects that enable both CURLOPT_UPLOAD and CURLOPT_FOLLOWLOCATION, and was trying to assess the impact. [1] https://curl.haxx.se/libcurl/security.html#Uploads -- Blake
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
