- From: Daniel Stenberg <daniel@haxx.se>
- Date: Mon, 30 Nov 2009 22:00:26 +0100 (CET)
- To: Tyler Close <tyler.close@gmail.com>
- cc: HTTP Working Group <ietf-http-wg@w3.org>
On Mon, 30 Nov 2009, Tyler Close wrote: >> An API such as libcurl (http://curl.haxx.se/libcurl/) doesn't contain any >> such restrictions, or does it? > > If you use libcurl to send a PUT request and the target resource responds > with a 307, which libcurl then automatically follows libcurl only "automatically" follows that if the app told it to act like that. It follows no redirects by default. I know that's not the topic here but I thought I'd clarify. > Consider a webbot that sends a PUT request to a resource on the open > Internet, which responds with a 307 to a resource behind the same firewall > as the webbot. The webbot has essentially punched a hole in the firewall. If a server does that I would consider that server/page to be a security problem or flaw. Even evil guys can run webbots I believe. -- / daniel.haxx.se
Received on Monday, 30 November 2009 21:01:06 UTC