Allow --resolve <host:*:address>

[jidanni]

Man page has

       --resolve <host:port:address>
              Provide a custom address for a  specific  host  and  port  pair.
              Using  this,  you  can make the curl requests(s) use a specified
              address and prevent the otherwise normally resolved  address  to
              be  used.  Consider it a sort of /etc/hosts alternative provided

Real /etc/hosts doesn't require a separate entry for each port number!

              on the command line. The port number should be the  number  used
              for  the  specific  protocol the host will be used for. It means
              you need several entries if you want to provide address for  the
              same host but different ports.

I.e., 65536 entries if one wants to cover all 65536 ports!

So please allow e.g., --resolve <host:*:address> if one wants to cover
all ports.

And --resolve <hostA:*:address1> --resolve <hostA:4444:address2> ...
to allow making all ports go to address1 except certain ones to address2...

If <host:*:address> is ugly, then perhaps use <host::address> or <host:address> or all three.

[gvanem]

Couldn't this be a security issue? I.e. downgrading a https url to http. Like in:

curl  --resolve secure-site.com:80:<non-secure-site-ip> https://secure-site.com

This seems impossible now.

[jidanni]

Well all existing and future security issues regarding --resolve should be noted in the --resolve paragraph there on the man page.

[bagder]

Real /etc/hosts doesn't require a separate entry for each port number!

Which is why it says it is a sort of alternative.

The other main reason is that the internal DNS cache already uses host name + port number in the lookup so doing it independent of port number needs more work. I'm not against the idea, I just think it is a fairly niche use case so I will probably not work on this myself.

I don't think it has a security impact, as it only changes what IP to use for a given name + port provided in the URL. That can already be changed by changing /etc/hosts. For proper HTTPS, there's still certificate verification that needs to be passed.

[mkauf]

The option --connect-to works with empty strings instead of *, so please consider --resolve <host::address> instead of --resolve <host:*:address>

[bagder]

Thank you, this idea is now mentioned in the TODO document!

[Alexander--]

I am currently trying to get libcurl working with c-ares, and I am interested in implementing this feature to get localhost urls working

@bagder Pre-filled DNS entries should work with c-ares, right?

[Alexander--]

Disregard that, I just read the source code and this looks a bit… more interesting than expected. I guess, I will have to look into #1386 or something