Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities

bug-wget

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities

From:	Dale R. Worley
Subject:	Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities
Date:	Sun, 31 Dec 2017 09:13:47 -0500

Kristian Erik Hermansen <address@hidden> writes:
> I still contend that this is at least a bug, and potentially a
> security issue, but only when the headers are ones that should NEVER
> have multiple values.

I agree with others that it's not clear that there's a security issue
here.  It appears that wget/curl can be used to generate HTTP requests
(or pseudo-HTTP requests) that might exploit security problems in web
servers, but that's the web servers' problem, not wget's/curl's.

Certainly, making sure that wget/curl can't generate such requests
doesn't stop the black-hats from generating them by other means.

Dale

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities, Kristian Erik Hermansen, 2017/12/29
- Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities, Daniel Stenberg, 2017/12/30
  - Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities, Tim Ruehsen, 2017/12/30
- Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities, Dale R. Worley <=

Prev by Date: [Bug-wget] [bug #51181] Unexpected "Redirecting output to 'wget-log'."
Previous by thread: Re: [Bug-wget] [curlsec] [USN-3464-1] Wget vulnerabilities
Index(es):
- Date
- Thread