oracular (3) libcurl-security.3.gz
NAME
libcurl-security - security considerations when using libcurl
Security
The libcurl project takes security seriously. The library is written with caution and precautions are
taken to mitigate many kinds of risks encountered while operating with potentially malicious servers on
the Internet. It is a powerful library, however, which allows application writers to make trade-offs
between ease of writing and exposure to potential risky operations. If used the right way, you can use
libcurl to transfer data pretty safely.
Many applications are used in closed networks where users and servers can (possibly) be trusted, but many
others are used on arbitrary servers and are fed input from potentially untrusted users. Following is a
discussion about some risks in the ways in which applications commonly use libcurl and potential
mitigations of those risks. It is not comprehensive, but shows classes of attacks that robust
applications should consider. The Common Weakness Enumeration project at https://cwe.mitre.org/ is a good
reference for many of these and similar types of weaknesses of which application writers should be aware.
Command Lines
If you use a command line tool (such as curl) that uses libcurl, and you give options to the tool on the
command line those options can get read by other users of your system when they use ps or other tools to
list currently running processes.
To avoid these problems, never feed sensitive things to programs using command line options. Write them
to a protected file and use the -K option to avoid this.
.netrc
.netrc is a pretty handy file/feature that allows you to login quickly and automatically to frequently
visited sites. The file contains passwords in clear text and is a real security risk. In some cases, your
.netrc is also stored in a home directory that is NFS mounted or used on another network based file
system, so the clear text password flies through your network every time anyone reads that file.
For applications that enable .netrc use, a user who manage to set the right URL might then be possible to
pass on passwords.
To avoid these problems, do not use .netrc files and never store passwords in plain text anywhere.
Clear Text Passwords
Many of the protocols libcurl supports send name and password unencrypted as clear text (HTTP Basic
authentication, FTP, TELNET etc). It is easy for anyone on your network or a network nearby yours to just
fire up a network analyzer tool and eavesdrop on your passwords. Do not let the fact that HTTP Basic uses
base64 encoded passwords fool you. They may not look readable at a first glance, but they are easily
"deciphered" by anyone within seconds.
To avoid this problem, use an authentication mechanism or other protocol that does not let snoopers see
your password: Digest, CRAM-MD5, Kerberos, SPNEGO or NTLM authentication. Or even better: use
authenticated protocols that protect the entire connection and everything sent over it.
Unauthenticated Connections
Protocols that do not have any form of cryptographic authentication cannot with any certainty know that
they communicate with the right remote server.
If your application is using a fixed scheme or fixed hostname, it is not safe as long as the connection
is unauthenticated. There can be a man-in-the-middle or in fact the whole server might have been replaced
by an evil actor.
Unauthenticated protocols are unsafe. The data that comes back to curl may have been injected by an
attacker. The data that curl sends might be modified before it reaches the intended server. If it even
reaches the intended server at all.
Remedies:
Restrict operations to authenticated transfers
Use authenticated protocols protected with HTTPS or SSH.
Make sure the server's certificate etc is verified
Never ever switch off certificate verification.
Redirects
The CURLOPT_FOLLOWLOCATION(3) option automatically follows HTTP redirects sent by a remote server. These redirects can refer to any kind of URL, not just HTTP. libcurl restricts the protocols allowed to be used in redirects for security reasons: only HTTP, HTTPS, FTP and FTPS are enabled by default. Applications may opt to restrict that set further. A redirect to a file: URL would cause the libcurl to read (or write) arbitrary files from the local filesystem. If the application returns the data back to the user (as would happen in some kinds of CGI scripts), an attacker could leverage this to read otherwise forbidden data (e.g. file://localhost/etc/passwd). If authentication credentials are stored in the ~/.netrc file, or Kerberos is in use, any other URL type (not just file:) that requires authentication is also at risk. A redirect such as ftp://some-internal-server/private-file would then return data even when the server is password protected. In the same way, if an unencrypted SSH private key has been configured for the user running the libcurl application, SCP: or SFTP: URLs could access password or private-key protected resources, e.g. sftp://user@some-internal-server/etc/passwd The CURLOPT_REDIR_PROTOCOLS_STR(3) and CURLOPT_NETRC(3) options can be used to mitigate against this kind of attack. A redirect can also specify a location available only on the machine running libcurl, including servers hidden behind a firewall from the attacker. E.g. http://127.0.0.1/ or http://intranet/delete-stuff.cgi?delete=all or tftp://bootp-server/pc-config-data Applications can mitigate against this by disabling CURLOPT_FOLLOWLOCATION(3) and handling redirects itself, sanitizing URLs as necessary. Alternately, an app could leave CURLOPT_FOLLOWLOCATION(3) enabled but set CURLOPT_REDIR_PROTOCOLS_STR(3) and install a CURLOPT_OPENSOCKETFUNCTION(3) or CURLOPT_PREREQFUNCTION(3) callback function in which addresses are sanitized before use.
CRLF in Headers
For all options in libcurl which specify headers, including but not limited to CURLOPT_HTTPHEADER(3), CURLOPT_PROXYHEADER(3), CURLOPT_COOKIE(3), CURLOPT_USERAGENT(3), CURLOPT_REFERER(3) and CURLOPT_RANGE(3), libcurl sends the headers as-is and does not apply any special sanitation or normalization to them. If you allow untrusted user input into these options without sanitizing CRLF sequences in them, someone malicious may be able to modify the request in a way you did not intend such as injecting new headers.
Local Resources
A user who can control the DNS server of a domain being passed in within a URL can change the address of
the host to a local, private address which a server-side libcurl-using application could then use. E.g.
the innocuous URL http://fuzzybunnies.example.com/ could actually resolve to the IP address of a server
behind a firewall, such as 127.0.0.1 or 10.1.2.3. Applications can mitigate against this by setting a
CURLOPT_OPENSOCKETFUNCTION(3) or CURLOPT_PREREQFUNCTION(3) and checking the address before a connection.
All the malicious scenarios regarding redirected URLs apply just as well to non-redirected URLs, if the
user is allowed to specify an arbitrary URL that could point to a private resource. For example, a web
app providing a translation service might happily translate file://localhost/etc/passwd and display the
result. Applications can mitigate against this with the CURLOPT_PROTOCOLS_STR(3) option as well as by
similar mitigation techniques for redirections.
A malicious FTP server could in response to the PASV command return an IP address and port number for a
server local to the app running libcurl but behind a firewall. Applications can mitigate against this by
using the CURLOPT_FTP_SKIP_PASV_IP(3) option or CURLOPT_FTPPORT(3).
Local servers sometimes assume local access comes from friends and trusted users. An application that
expects https://example.com/file_to_read that and instead gets http://192.168.0.1/my_router_config might
print a file that would otherwise be protected by the firewall.
Allowing your application to connect to local hosts, be it the same machine that runs the application or
a machine on the same local network, might be possible to exploit by an attacker who then perhaps can
"port-scan" the particular hosts - depending on how the application and servers acts.
IPv4 Addresses
Some users might be tempted to filter access to local resources or similar based on numerical IPv4
addresses used in URLs. This is a bad and error-prone idea because of the many different ways a numerical
IPv4 address can be specified and libcurl accepts: one to four dot-separated fields using one of or a mix
of decimal, octal or hexadecimal encoding.
IPv6 Addresses
libcurl handles IPv6 addresses transparently and just as easily as IPv4 addresses. That means that a
sanitizing function that filters out addresses like 127.0.0.1 is not sufficient - the equivalent IPv6
addresses ::1, ::, 0:00::0:1, ::127.0.0.1 and ::ffff:7f00:1 supplied somehow by an attacker would all
bypass a naive filter and could allow access to undesired local resources. IPv6 also has special address
blocks like link-local and site-local that generally should not be accessed by a server-side
libcurl-using application. A poorly configured firewall installed in a data center, organization or
server may also be configured to limit IPv4 connections but leave IPv6 connections wide open. In some
cases, setting CURLOPT_IPRESOLVE(3) to CURL_IPRESOLVE_V4 can be used to limit resolved addresses to IPv4
only and bypass these issues.
Uploads
When uploading, a redirect can cause a local (or remote) file to be overwritten. Applications must not
allow any unsanitized URL to be passed in for uploads. Also, CURLOPT_FOLLOWLOCATION(3) should not be used
on uploads. Instead, the applications should consider handling redirects itself, sanitizing each URL
first.
Authentication
Use of CURLOPT_UNRESTRICTED_AUTH(3) could cause authentication information to be sent to an unknown second server. Applications can mitigate against this by disabling CURLOPT_FOLLOWLOCATION(3) and handling redirects itself, sanitizing where necessary. Use of the CURLAUTH_ANY option to CURLOPT_HTTPAUTH(3) could result in username and password being sent in clear text to an HTTP server. Instead, use CURLAUTH_ANYSAFE which ensures that the password is encrypted over the network, or else fail the request. Use of the CURLUSESSL_TRY option to CURLOPT_USE_SSL(3) could result in username and password being sent in clear text to an FTP server. Instead, use CURLUSESSL_CONTROL to ensure that an encrypted connection is used or else fail the request.
Cookies
If cookies are enabled and cached, then a user could craft a URL which performs some malicious action to
a site whose authentication is already stored in a cookie. E.g.
http://mail.example.com/delete-stuff.cgi?delete=all Applications can mitigate against this by disabling
cookies or clearing them between requests.
Dangerous SCP URLs
SCP URLs can contain raw commands within the scp: URL, which is a side effect of how the SCP protocol is
designed. E.g.
scp://user:pass@host/a;date >/tmp/test;
Applications must not allow unsanitized SCP: URLs to be passed in for downloads.
file://
By default curl and libcurl support file:// URLs. Such a URL is always an access, or attempted access, to
a local resource. If your application wants to avoid that, keep control of what URLs to use and/or
prevent curl/libcurl from using the protocol.
By default, libcurl prohibits redirects to file:// URLs.
Warning: file:// on Windows
The Windows operating system tries automatically, and without any way for applications to disable it, to
establish a connection to another host over the network and access it (over SMB or other protocols), if
only the correct file path is accessed.
When first realizing this, the curl team tried to filter out such attempts in order to protect
applications for inadvertent probes of for example internal networks etc. This resulted in CVE-2019-15601
and the associated security fix.
However, we have since been made aware of the fact that the previous fix was far from adequate as there
are several other ways to accomplish more or less the same thing: accessing a remote host over the
network instead of the local file system.
The conclusion we have come to is that this is a weakness or feature in the Windows operating system
itself, that we as an application cannot safely protect users against. It would just be a whack-a-mole
race we do not want to participate in. There are too many ways to do it and there is no knob we can use
to turn off the practice.
If you use curl or libcurl on Windows (any version), disable the use of the FILE protocol in curl or be
prepared that accesses to a range of "magic paths" potentially make your system access other hosts on
your network. curl cannot protect you against this.
What if the user can set the URL
Applications may find it tempting to let users set the URL that it can work on. That is probably fine,
but opens up for mischief and trickery that you as an application author may want to address or take
precautions against.
If your curl-using script allow a custom URL do you also, perhaps unintentionally, allow the user to pass
other options to the curl command line if creative use of special characters are applied?
If the user can set the URL, the user can also specify the scheme part to other protocols that you did
not intend for users to use and perhaps did not consider. curl supports over 20 different URL schemes.
"http://" might be what you thought, "ftp://" or "imap://" might be what the user gives your application.
Also, cross-protocol operations might be done by using a particular scheme in the URL but point to a
server doing a different protocol on a non-standard port.
Remedies:
Use --proto
curl command lines can use --proto to limit what URL schemes it accepts
Use CURLOPT_PROTOCOLS_STR
libcurl programs can use CURLOPT_PROTOCOLS_STR(3) to limit what URL schemes it accepts
consider not allowing the user to set the full URL
Maybe just let the user provide data for parts of it? Or maybe filter input to only allow specific
choices?
RFC 3986 vs WHATWG URL
curl supports URLs mostly according to how they are defined in RFC 3986, and has done so since the
beginning.
Web browsers mostly adhere to the WHATWG URL Specification.
This deviance makes some URLs copied between browsers (or returned over HTTP for redirection) and curl
not work the same way. It can also cause problems if an application parses URLs differently from libcurl
and makes different assumptions about a link. This can mislead users into getting the wrong thing,
connecting to the wrong host or otherwise not working identically.
Within an application, this can be mitigated by always using the curl_url(3) API to parse URLs, ensuring
that they are parsed the same way as within libcurl itself.
FTP uses two connections
When performing an FTP transfer, two TCP connections are used: one for setting up the transfer and one
for the actual data.
FTP is not only unauthenticated, but the setting up of the second transfer is also a weak spot. The
second connection to use for data, is either setup with the PORT/EPRT command that makes the server
connect back to the client on the given IP+PORT, or with PASV/EPSV that makes the server setup a port to
listen to and tells the client to connect to a given IP+PORT.
Again, unauthenticated means that the connection might be meddled with by a man-in-the-middle or that
there is a malicious server pretending to be the right one.
A malicious FTP server can respond to PASV commands with the IP+PORT of a totally different machine.
Perhaps even a third party host, and when there are many clients trying to connect to that third party,
it could create a Distributed Denial-Of-Service attack out of it. If the client makes an upload
operation, it can make the client send the data to another site. If the attacker can affect what data the
client uploads, it can be made to work as a HTTP request and then the client could be made to issue HTTP
requests to third party hosts.
An attacker that manages to control curl's command line options can tell curl to send an FTP PORT command
to ask the server to connect to a third party host instead of back to curl.
The fact that FTP uses two connections makes it vulnerable in a way that is hard to avoid.
Active FTP passes on the local IP address
If you use curl/libcurl to do active FTP transfers, curl passes on the address of your local IP to the
remote server - even when for example using a SOCKS or HTTP proxy in between curl and the target server.
Denial of Service
A malicious server could cause libcurl to effectively hang by sending data slowly, or even no data at all
but just keeping the TCP connection open. This could effectively result in a denial-of-service attack.
The CURLOPT_TIMEOUT(3) and/or CURLOPT_LOW_SPEED_LIMIT(3) options can be used to mitigate against this.
A malicious server could cause libcurl to download an infinite amount of data, potentially causing system
resources to be exhausted resulting in a system or application crash. Setting the
CURLOPT_MAXFILESIZE_LARGE(3) option is not sufficient to guard against this. Instead, applications should
monitor the amount of data received within the write or progress callback and abort once the limit is
reached.
A malicious HTTP server could cause an infinite redirection loop, causing a denial-of-service. This can
be mitigated by using the CURLOPT_MAXREDIRS(3) option.
Arbitrary Headers
User-supplied data must be sanitized when used in options like CURLOPT_USERAGENT(3), CURLOPT_HTTPHEADER(3), CURLOPT_POSTFIELDS(3) and others that are used to generate structured data. Characters like embedded carriage returns or ampersands could allow the user to create additional headers or fields that could cause malicious transactions.
Server-supplied Names
A server can supply data which the application may, in some cases, use as a filename. The curl
command-line tool does this with --remote-header-name, using the Content-disposition: header to generate
a filename. An application could also use CURLINFO_EFFECTIVE_URL(3) to generate a filename from a
server-supplied redirect URL. Special care must be taken to sanitize such names to avoid the possibility
of a malicious server supplying one like "/etc/passwd", "autoexec.bat", "prn:" or even ".bashrc".
Server Certificates
A secure application should never use the CURLOPT_SSL_VERIFYPEER(3) option to disable certificate validation. There are numerous attacks that are enabled by applications that fail to properly validate server TLS/SSL certificates, thus enabling a malicious server to spoof a legitimate one. HTTPS without validated certificates is potentially as insecure as a plain HTTP connection.
Showing What You Do
Relatedly, be aware that in situations when you have problems with libcurl and ask someone for help,
everything you reveal in order to get best possible help might also impose certain security related
risks. Hostnames, usernames, paths, operating system specifics, etc. (not to mention passwords of course)
may in fact be used by intruders to gain additional information of a potential target.
Be sure to limit access to application logs if they could hold private or security-related data. Besides
the obvious candidates like usernames and passwords, things like URLs, cookies or even filenames could
also hold sensitive data.
To avoid this problem, you must of course use your common sense. Often, you can just edit out the
sensitive data or just search/replace your true information with faked data.
setuid applications using libcurl
libcurl-using applications that set the 'setuid' bit to run with elevated or modified rights also
implicitly give that extra power to libcurl and this should only be done after careful considerations.
Giving setuid powers to the application means that libcurl can save files using those new rights (if for
example the SSLKEYLOGFILE environment variable is set). Also: if the application wants these powers to
read or manage secrets that the user is otherwise not able to view (like credentials for a login etc), it
should be noted that libcurl still might understand proxy environment variables that allow the user to
redirect libcurl operations to use a proxy controlled by the user.
File descriptors, fork and NTLM
An application that uses libcurl and invokes fork() gets all file descriptors duplicated in the child
process, including the ones libcurl created.
libcurl itself uses fork() and execl() if told to use the CURLAUTH_NTLM_WB authentication method which
then invokes the helper command in a child process with file descriptors duplicated. Make sure that only
the trusted and reliable helper program is invoked!
Secrets in memory
When applications pass usernames, passwords or other sensitive data to libcurl to be used for upcoming
transfers, those secrets are kept around as-is in memory. In many cases they are stored in the heap for
as long as the handle itself for which the options are set.
If an attacker can access the heap, like maybe by reading swap space or via a core dump file, such data
might be accessible.
Further, when eventually closing a handle and the secrets are no longer needed, libcurl does not
explicitly clear memory before freeing it, so credentials may be left in freed data.
Saving files
libcurl cannot protect against attacks where an attacker has write access to the same directory where
libcurl is directed to save files.
Cookies
If libcurl is built with PSL (Public Suffix List) support, it detects and discards cookies that are
specified for such suffix domains that should not be allowed to have cookies.
if libcurl is not built with PSL support, it has no ability to stop super cookies.
Report Security Problems
Should you detect or just suspect a security problem in libcurl or curl, contact the project curl
security team immediately. See https://curl.se/dev/secprocess.html for details.
SEE ALSO
libcurl-thread(3)