When a protocol selection parameter option disables all protocols without
adding any then the default set of protocols would remain in the allowed
set due to an error in the logic for removing protocols. The below command
would perform a request to curl.se with a plaintext protocol which has been
explicitly disabled. curl --proto -all,-http http://curl.se The flaw is
only present if the set of selected protocols disables the entire set of
available protocols, in itself a command with no practical use and
therefore unlikely to be encountered in real situations. The curl security
team has thus assessed this to be low severity bug.
Author | Note |
---|---|
Priority reason: Upstream developers consider this a low severity issue | |
mdeslaur | affects curl 7.85.0 to and including 8.6.0 |