I was browsing through the https code and noticed that snoopy utilizes an exec call to curl but I didn't see any attempts to escape the command line parameters. Did I miss it?
Snoopy does not use cURL libraries because it is considered that cURL's implementation into PHP is not stable yet.
But when cURL called as an executable by PHP, this acts as a binary process. So your process can be sniffed by a hacker. So it is very bad for mission-critical applications especially while fetching let's say credit card informations secured via https ..
I think by the version 1 of cURL, prefering cURL libraries would be a better idea.
Of course, everybody can change the source code of Snoopy and have a personal version using libraries. This would be not a complicated job.
Log in to post a comment.