libcurl-security.3 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423
  1. .\" **************************************************************************
  2. .\" * _ _ ____ _
  3. .\" * Project ___| | | | _ \| |
  4. .\" * / __| | | | |_) | |
  5. .\" * | (__| |_| | _ <| |___
  6. .\" * \___|\___/|_| \_\_____|
  7. .\" *
  8. .\" * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. .\" *
  10. .\" * This software is licensed as described in the file COPYING, which
  11. .\" * you should have received as part of this distribution. The terms
  12. .\" * are also available at https://curl.se/docs/copyright.html.
  13. .\" *
  14. .\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. .\" * copies of the Software, and permit persons to whom the Software is
  16. .\" * furnished to do so, under the terms of the COPYING file.
  17. .\" *
  18. .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. .\" * KIND, either express or implied.
  20. .\" *
  21. .\" * SPDX-License-Identifier: curl
  22. .\" *
  23. .\" **************************************************************************
  24. .\"
  25. .TH libcurl-security 3 "13 Feb 2018" "libcurl" "libcurl"
  26. .SH NAME
  27. libcurl-security \- security considerations when using libcurl
  28. .SH "Security"
  29. The libcurl project takes security seriously. The library is written with
  30. caution and precautions are taken to mitigate many kinds of risks encountered
  31. while operating with potentially malicious servers on the Internet. It is a
  32. powerful library, however, which allows application writers to make trade-offs
  33. between ease of writing and exposure to potential risky operations. If used
  34. the right way, you can use libcurl to transfer data pretty safely.
  35. Many applications are used in closed networks where users and servers can
  36. (possibly) be trusted, but many others are used on arbitrary servers and are
  37. fed input from potentially untrusted users. Following is a discussion about
  38. some risks in the ways in which applications commonly use libcurl and
  39. potential mitigations of those risks. It is not comprehensive, but shows
  40. classes of attacks that robust applications should consider. The Common
  41. Weakness Enumeration project at https://cwe.mitre.org/ is a good reference for
  42. many of these and similar types of weaknesses of which application writers
  43. should be aware.
  44. .SH "Command Lines"
  45. If you use a command line tool (such as curl) that uses libcurl, and you give
  46. options to the tool on the command line those options can get read by other
  47. users of your system when they use \fIps\fP or other tools to list currently
  48. running processes.
  49. To avoid these problems, never feed sensitive things to programs using command
  50. line options. Write them to a protected file and use the \-K option to avoid
  51. this.
  52. .SH ".netrc"
  53. \&.netrc is a pretty handy file/feature that allows you to login quickly and
  54. automatically to frequently visited sites. The file contains passwords in
  55. clear text and is a real security risk. In some cases, your .netrc is also
  56. stored in a home directory that is NFS mounted or used on another network
  57. based file system, so the clear text password will fly through your network
  58. every time anyone reads that file.
  59. For applications that enable .netrc use, a user who manage to set the right
  60. URL might then be possible to pass on passwords.
  61. To avoid these problems, do not use .netrc files and never store passwords in
  62. plain text anywhere.
  63. .SH "Clear Text Passwords"
  64. Many of the protocols libcurl supports send name and password unencrypted as
  65. clear text (HTTP Basic authentication, FTP, TELNET etc). It is easy for anyone
  66. on your network or a network nearby yours to just fire up a network analyzer
  67. tool and eavesdrop on your passwords. do not let the fact that HTTP Basic uses
  68. base64 encoded passwords fool you. They may not look readable at a first
  69. glance, but they are easily "deciphered" by anyone within seconds.
  70. To avoid this problem, use an authentication mechanism or other protocol that
  71. does not let snoopers see your password: Digest, CRAM-MD5, Kerberos, SPNEGO or
  72. NTLM authentication. Or even better: use authenticated protocols that protect
  73. the entire connection and everything sent over it.
  74. .SH "Unauthenticated Connections"
  75. Protocols that do not have any form of cryptographic authentication cannot
  76. with any certainty know that they communicate with the right remote server.
  77. If your application is using a fixed scheme or fixed host name, it is not safe
  78. as long as the connection is unauthenticated. There can be a man-in-the-middle
  79. or in fact the whole server might have been replaced by an evil actor.
  80. Unauthenticated protocols are unsafe. The data that comes back to curl may
  81. have been injected by an attacker. The data that curl sends might be modified
  82. before it reaches the intended server. If it even reaches the intended server
  83. at all.
  84. Remedies:
  85. .IP "Restrict operations to authenticated transfers"
  86. Use authenticated protocols protected with HTTPS or SSH.
  87. .IP "Make sure the server's certificate etc is verified"
  88. Never ever switch off certificate verification.
  89. .SH "Redirects"
  90. The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP
  91. redirects sent by a remote server. These redirects can refer to any kind of
  92. URL, not just HTTP. libcurl restricts the protocols allowed to be used in
  93. redirects for security reasons: only HTTP, HTTPS, FTP and FTPS are
  94. enabled by default. Applications may opt to restrict that set further.
  95. A redirect to a file: URL would cause the libcurl to read (or write) arbitrary
  96. files from the local filesystem. If the application returns the data back to
  97. the user (as would happen in some kinds of CGI scripts), an attacker could
  98. leverage this to read otherwise forbidden data (e.g.
  99. \fBfile://localhost/etc/passwd\fP).
  100. If authentication credentials are stored in the ~/.netrc file, or Kerberos is
  101. in use, any other URL type (not just file:) that requires authentication is
  102. also at risk. A redirect such as ftp://some-internal-server/private-file would
  103. then return data even when the server is password protected.
  104. In the same way, if an unencrypted SSH private key has been configured for the
  105. user running the libcurl application, SCP: or SFTP: URLs could access password
  106. or private-key protected resources,
  107. e.g. \fBsftp://user@some-internal-server/etc/passwd\fP
  108. The \fICURLOPT_REDIR_PROTOCOLS(3)\fP and \fICURLOPT_NETRC(3)\fP options can be
  109. used to mitigate against this kind of attack.
  110. A redirect can also specify a location available only on the machine running
  111. libcurl, including servers hidden behind a firewall from the attacker.
  112. e.g. http://127.0.0.1/ or http://intranet/delete-stuff.cgi?delete=all or
  113. tftp://bootp-server/pc-config-data
  114. Applications can mitigate against this by disabling
  115. \fICURLOPT_FOLLOWLOCATION(3)\fP and handling redirects itself, sanitizing URLs
  116. as necessary. Alternately, an app could leave \fICURLOPT_FOLLOWLOCATION(3)\fP
  117. enabled but set \fICURLOPT_REDIR_PROTOCOLS(3)\fP and install a
  118. \fICURLOPT_OPENSOCKETFUNCTION(3)\fP or \fICURLOPT_PREREQFUNCTION(3)\fP callback
  119. function in which addresses are sanitized before use.
  120. .SH "CRLF in Headers"
  121. For all options in libcurl which specify headers, including but not limited to
  122. \fICURLOPT_HTTPHEADER(3)\fP, \fICURLOPT_PROXYHEADER(3)\fP,
  123. \fICURLOPT_COOKIE(3)\fP, \fICURLOPT_USERAGENT(3)\fP, \fICURLOPT_REFERER(3)\fP
  124. and \fICURLOPT_RANGE(3)\fP, libcurl will send the headers as-is and will not
  125. apply any special sanitation or normalization to them.
  126. If you allow untrusted user input into these options without sanitizing CRLF
  127. sequences in them, someone malicious may be able to modify the request in a
  128. way you did not intend such as injecting new headers.
  129. .SH "Local Resources"
  130. A user who can control the DNS server of a domain being passed in within a URL
  131. can change the address of the host to a local, private address which a
  132. server-side libcurl-using application could then use. e.g. the innocuous URL
  133. \fBhttp://fuzzybunnies.example.com/\fP could actually resolve to the IP
  134. address of a server behind a firewall, such as 127.0.0.1 or
  135. 10.1.2.3. Applications can mitigate against this by setting a
  136. \fICURLOPT_OPENSOCKETFUNCTION(3)\fP or \fICURLOPT_PREREQFUNCTION(3)\fP and
  137. checking the address before a connection.
  138. All the malicious scenarios regarding redirected URLs apply just as well to
  139. non-redirected URLs, if the user is allowed to specify an arbitrary URL that
  140. could point to a private resource. For example, a web app providing a
  141. translation service might happily translate \fBfile://localhost/etc/passwd\fP
  142. and display the result. Applications can mitigate against this with the
  143. \fICURLOPT_PROTOCOLS(3)\fP option as well as by similar mitigation techniques
  144. for redirections.
  145. A malicious FTP server could in response to the PASV command return an IP
  146. address and port number for a server local to the app running libcurl but
  147. behind a firewall. Applications can mitigate against this by using the
  148. \fICURLOPT_FTP_SKIP_PASV_IP(3)\fP option or \fICURLOPT_FTPPORT(3)\fP.
  149. Local servers sometimes assume local access comes from friends and trusted
  150. users. An application that expects https://example.com/file_to_read that and
  151. instead gets http://192.168.0.1/my_router_config might print a file that would
  152. otherwise be protected by the firewall.
  153. Allowing your application to connect to local hosts, be it the same machine
  154. that runs the application or a machine on the same local network, might be
  155. possible to exploit by an attacker who then perhaps can "port-scan" the
  156. particular hosts - depending on how the application and servers acts.
  157. .SH "IPv4 Addresses"
  158. Some users might be tempted to filter access to local resources or similar
  159. based on numerical IPv4 addresses used in URLs. This is a bad and error-prone
  160. idea because of the many different ways a numerical IPv4 address can be
  161. specified and libcurl accepts: one to four dot-separated fields using one of
  162. or a mix of decimal, octal or hexadecimal encoding.
  163. .SH "IPv6 Addresses"
  164. libcurl will normally handle IPv6 addresses transparently and just as easily
  165. as IPv4 addresses. That means that a sanitizing function that filters out
  166. addresses like 127.0.0.1 is not sufficient--the equivalent IPv6 addresses
  167. \fB::1\fP, \fB::\fP, \fB0:00::0:1\fP, \fB::127.0.0.1\fP and
  168. \fB::ffff:7f00:1\fP supplied somehow by an attacker would all bypass a naive
  169. filter and could allow access to undesired local resources. IPv6 also has
  170. special address blocks like link-local and site-local that generally should
  171. not be accessed by a server-side libcurl-using application. A poorly
  172. configured firewall installed in a data center, organization or server may
  173. also be configured to limit IPv4 connections but leave IPv6 connections wide
  174. open. In some cases, setting \fICURLOPT_IPRESOLVE(3)\fP to CURL_IPRESOLVE_V4
  175. can be used to limit resolved addresses to IPv4 only and bypass these issues.
  176. .SH Uploads
  177. When uploading, a redirect can cause a local (or remote) file to be
  178. overwritten. Applications must not allow any unsanitized URL to be passed in
  179. for uploads. Also, \fICURLOPT_FOLLOWLOCATION(3)\fP should not be used on
  180. uploads. Instead, the applications should consider handling redirects itself,
  181. sanitizing each URL first.
  182. .SH Authentication
  183. Use of \fICURLOPT_UNRESTRICTED_AUTH(3)\fP could cause authentication
  184. information to be sent to an unknown second server. Applications can mitigate
  185. against this by disabling \fICURLOPT_FOLLOWLOCATION(3)\fP and handling
  186. redirects itself, sanitizing where necessary.
  187. Use of the CURLAUTH_ANY option to \fICURLOPT_HTTPAUTH(3)\fP could result in
  188. user name and password being sent in clear text to an HTTP server. Instead,
  189. use CURLAUTH_ANYSAFE which ensures that the password is encrypted over the
  190. network, or else fail the request.
  191. Use of the CURLUSESSL_TRY option to \fICURLOPT_USE_SSL(3)\fP could result in
  192. user name and password being sent in clear text to an FTP server. Instead,
  193. use CURLUSESSL_CONTROL to ensure that an encrypted connection is used or else
  194. fail the request.
  195. .SH Cookies
  196. If cookies are enabled and cached, then a user could craft a URL which
  197. performs some malicious action to a site whose authentication is already
  198. stored in a cookie. e.g. http://mail.example.com/delete-stuff.cgi?delete=all
  199. Applications can mitigate against this by disabling cookies or clearing them
  200. between requests.
  201. .SH "Dangerous SCP URLs"
  202. SCP URLs can contain raw commands within the scp: URL, which is a side effect
  203. of how the SCP protocol is designed. e.g.
  204. .nf
  205. scp://user:pass@host/a;date >/tmp/test;
  206. .fi
  207. Applications must not allow unsanitized SCP: URLs to be passed in for
  208. downloads.
  209. .SH "file://"
  210. By default curl and libcurl support file:// URLs. Such a URL is always an
  211. access, or attempted access, to a local resource. If your application wants to
  212. avoid that, keep control of what URLs to use and/or prevent curl/libcurl from
  213. using the protocol.
  214. By default, libcurl prohibits redirects to file:// URLs.
  215. .SH "Warning: file:// on Windows"
  216. The Windows operating system will automatically, and without any way for
  217. applications to disable it, try to establish a connection to another host over
  218. the network and access it (over SMB or other protocols), if only the correct
  219. file path is accessed.
  220. When first realizing this, the curl team tried to filter out such attempts in
  221. order to protect applications for inadvertent probes of for example internal
  222. networks etc. This resulted in CVE-2019-15601 and the associated security fix.
  223. However, we have since been made aware of the fact that the previous fix was far
  224. from adequate as there are several other ways to accomplish more or less the
  225. same thing: accessing a remote host over the network instead of the local file
  226. system.
  227. The conclusion we have come to is that this is a weakness or feature in the
  228. Windows operating system itself, that we as an application cannot safely
  229. protect users against. It would just be a whack-a-mole race we do not want to
  230. participate in. There are too many ways to do it and there's no knob we can
  231. use to turn off the practice.
  232. If you use curl or libcurl on Windows (any version), disable the use of the
  233. FILE protocol in curl or be prepared that accesses to a range of "magic paths"
  234. will potentially make your system try to access other hosts on your
  235. network. curl cannot protect you against this.
  236. .SH "What if the user can set the URL"
  237. Applications may find it tempting to let users set the URL that it can work
  238. on. That is probably fine, but opens up for mischief and trickery that you as
  239. an application author may want to address or take precautions against.
  240. If your curl-using script allow a custom URL do you also, perhaps
  241. unintentionally, allow the user to pass other options to the curl command line
  242. if creative use of special characters are applied?
  243. If the user can set the URL, the user can also specify the scheme part to
  244. other protocols that you did not intend for users to use and perhaps did not
  245. consider. curl supports over 20 different URL schemes. "http://" might be what
  246. you thought, "ftp://" or "imap://" might be what the user gives your
  247. application. Also, cross-protocol operations might be done by using a
  248. particular scheme in the URL but point to a server doing a different protocol
  249. on a non-standard port.
  250. Remedies:
  251. .IP "Use --proto"
  252. curl command lines can use \fI--proto\fP to limit what URL schemes it accepts
  253. .IP "Use CURLOPT_PROTOCOLS"
  254. libcurl programs can use \fICURLOPT_PROTOCOLS(3)\fP to limit what URL schemes it accepts
  255. .IP "consider not allowing the user to set the full URL"
  256. Maybe just let the user provide data for parts of it? Or maybe filter input to
  257. only allow specific choices?
  258. .SH "RFC 3986 vs WHATWG URL"
  259. curl supports URLs mostly according to how they are defined in RFC 3986, and
  260. has done so since the beginning.
  261. Web browsers mostly adhere to the WHATWG URL Specification.
  262. This deviance makes some URLs copied between browsers (or returned over HTTP
  263. for redirection) and curl not work the same way. It can also cause problems if
  264. an application parses URLs differently from libcurl and makes different
  265. assumptions about a link. This can mislead users into getting the wrong thing,
  266. connecting to the wrong host or otherwise not working identically.
  267. Within an application, this can be mitigated by always using the
  268. \fIcurl_url(3)\fP API to parse URLs, ensuring that they are parsed the same way
  269. as within libcurl itself.
  270. .SH "FTP uses two connections"
  271. When performing an FTP transfer, two TCP connections are used: one for setting
  272. up the transfer and one for the actual data.
  273. FTP is not only unauthenticated, but the setting up of the second transfer is
  274. also a weak spot. The second connection to use for data, is either setup with
  275. the PORT/EPRT command that makes the server connect back to the client on the
  276. given IP+PORT, or with PASV/EPSV that makes the server setup a port to listen
  277. to and tells the client to connect to a given IP+PORT.
  278. Again, unauthenticated means that the connection might be meddled with by a
  279. man-in-the-middle or that there's a malicious server pretending to be the
  280. right one.
  281. A malicious FTP server can respond to PASV commands with the IP+PORT of a
  282. totally different machine. Perhaps even a third party host, and when there are
  283. many clients trying to connect to that third party, it could create a
  284. Distributed Denial-Of-Service attack out of it. If the client makes an upload
  285. operation, it can make the client send the data to another site. If the
  286. attacker can affect what data the client uploads, it can be made to work as a
  287. HTTP request and then the client could be made to issue HTTP requests to third
  288. party hosts.
  289. An attacker that manages to control curl's command line options can tell curl
  290. to send an FTP PORT command to ask the server to connect to a third party host
  291. instead of back to curl.
  292. The fact that FTP uses two connections makes it vulnerable in a way that is
  293. hard to avoid.
  294. .SH "Denial of Service"
  295. A malicious server could cause libcurl to effectively hang by sending data
  296. slowly, or even no data at all but just keeping the TCP connection open. This
  297. could effectively result in a denial-of-service attack. The
  298. \fICURLOPT_TIMEOUT(3)\fP and/or \fICURLOPT_LOW_SPEED_LIMIT(3)\fP options can
  299. be used to mitigate against this.
  300. A malicious server could cause libcurl to download an infinite amount of data,
  301. potentially causing all of memory or disk to be filled. Setting the
  302. \fICURLOPT_MAXFILESIZE_LARGE(3)\fP option is not sufficient to guard against
  303. this. Instead, applications should monitor the amount of data received within
  304. the write or progress callback and abort once the limit is reached.
  305. A malicious HTTP server could cause an infinite redirection loop, causing a
  306. denial-of-service. This can be mitigated by using the
  307. \fICURLOPT_MAXREDIRS(3)\fP option.
  308. .SH "Arbitrary Headers"
  309. User-supplied data must be sanitized when used in options like
  310. \fICURLOPT_USERAGENT(3)\fP, \fICURLOPT_HTTPHEADER(3)\fP,
  311. \fICURLOPT_POSTFIELDS(3)\fP and others that are used to generate structured
  312. data. Characters like embedded carriage returns or ampersands could allow the
  313. user to create additional headers or fields that could cause malicious
  314. transactions.
  315. .SH "Server-supplied Names"
  316. A server can supply data which the application may, in some cases, use as a
  317. file name. The curl command-line tool does this with
  318. \fI--remote-header-name\fP, using the Content-disposition: header to generate
  319. a file name. An application could also use \fICURLINFO_EFFECTIVE_URL(3)\fP to
  320. generate a file name from a server-supplied redirect URL. Special care must be
  321. taken to sanitize such names to avoid the possibility of a malicious server
  322. supplying one like \fB"/etc/passwd"\fP, \fB"\\autoexec.bat"\fP, \fB"prn:"\fP
  323. or even \fB".bashrc"\fP.
  324. .SH "Server Certificates"
  325. A secure application should never use the \fICURLOPT_SSL_VERIFYPEER(3)\fP
  326. option to disable certificate validation. There are numerous attacks that are
  327. enabled by applications that fail to properly validate server TLS/SSL
  328. certificates, thus enabling a malicious server to spoof a legitimate
  329. one. HTTPS without validated certificates is potentially as insecure as a
  330. plain HTTP connection.
  331. .SH "Showing What You Do"
  332. Relatedly, be aware that in situations when you have problems with libcurl and
  333. ask someone for help, everything you reveal in order to get best possible help
  334. might also impose certain security related risks. Host names, user names,
  335. paths, operating system specifics, etc. (not to mention passwords of course)
  336. may in fact be used by intruders to gain additional information of a potential
  337. target.
  338. Be sure to limit access to application logs if they could hold private or
  339. security-related data. Besides the obvious candidates like user names and
  340. passwords, things like URLs, cookies or even file names could also hold
  341. sensitive data.
  342. To avoid this problem, you must of course use your common sense. Often, you
  343. can just edit out the sensitive data or just search/replace your true
  344. information with faked data.
  345. .SH "setuid applications using libcurl"
  346. libcurl-using applications that set the 'setuid' bit to run with elevated or
  347. modified rights also implicitly give that extra power to libcurl and this
  348. should only be done after careful considerations.
  349. Giving setuid powers to the application means that libcurl can save files using
  350. those new rights (if for example the `SSLKEYLOGFILE` environment variable is
  351. set). Also: if the application wants these powers to read or manage secrets
  352. that the user is otherwise not able to view (like credentials for a login
  353. etc), it should be noted that libcurl still might understand proxy environment
  354. variables that allow the user to redirect libcurl operations to use a proxy
  355. controlled by the user.
  356. .SH "File descriptors, fork and NTLM"
  357. An application that uses libcurl and invokes \fIfork()\fP will get all file
  358. descriptors duplicated in the child process, including the ones libcurl
  359. created.
  360. libcurl itself uses \fIfork()\fP and \fIexecl()\fP if told to use the
  361. \fBCURLAUTH_NTLM_WB\fP authentication method which then will invoke the helper
  362. command in a child process with file descriptors duplicated. Make sure that
  363. only the trusted and reliable helper program is invoked!
  364. .SH "Secrets in memory"
  365. When applications pass user names, passwords or other sensitive data to
  366. libcurl to be used for upcoming transfers, those secrets will be kept around
  367. as-is in memory. In many cases they will be stored in heap for as long as the
  368. handle itself for which the options are set.
  369. If an attacker can access the heap, like maybe by reading swap space or via a
  370. core dump file, such data might be accessible.
  371. Further, when eventually closing a handle and the secrets are no longer
  372. needed, libcurl does not explicitly clear memory before freeing it, so
  373. credentials may be left in freed data.
  374. .SH "Report Security Problems"
  375. Should you detect or just suspect a security problem in libcurl or curl,
  376. contact the project curl security team immediately. See
  377. https://curl.se/dev/secprocess.html for details.