curl-users
Re: Problem with ./ in redirect
Date: Wed, 09 Oct 2002 04:50:53 -0500
Daniel,
Sorry about the delay. It looks like the dotslash patch is working fine for me,
with 7.10. Thank you.
On the other hand, the patched 7.10 isn't working against a different server,
which is why it took me awhile to reply. Oddly enough, the server that *isn't*
working properly with 7.10 is an IIS4.0 box, and it's barfing on a dotslash
url. It's odd because that same url & server worked just fine with 7.9.8.
This strengthens my impression that the problem isn't really curl's, but rather
that something changed in the way IIS handles a dotslash url. Probably the "IIS
lockdown tool" that Kevin referred to.
Or it may be a user-induced problem... I may have multiple different curl
fragments beating each other up.
Ralph
Daniel Stenberg wrote:
> On Thu, 3 Oct 2002, Ralph Mitchell wrote:
>
> > I guess if the url starts with ./ it'll be ok to hack it off, or even wait
> > until just before sending out the url and then run along it taking out any
> > ./ that crept in?
>
> I'd rather not. I prefer to let the user be able to put in any kind of weirdo
> input he feels like.
>
> > But I'm afraid that it should probably be more generic than that, right?
> > In the case of the ../ that Kevin mentioned, the next-to-the-left directory
> > name (if there is one) should be removed, then the whole process repeated
> > until either no directory name fall between the server and the ../, or
> > until there are no more ../s. Did that make sense?
>
> This makes sense. I had a go at this just a while ago and attached to this
> mail is a patch that seems to work for me. I also added four test cases that
> proves this to work at least for the most obvious cases.
>
> > I don't suppose there's a 'canonicalise path' function in the C library, is
> > there? That would be just too easy... :)
>
> Correct.
>
> Anyway, please try the attached patch and see if it makes your life sunnier!
> (I made this patch against 7.10, but I bet you can apply it to older sources
> as well, should you want that.)
>
> --
> Daniel Stenberg -- curl related mails on curl related mailing lists please
>
> ------------------------------------------------------------------------
> Name: dotslash.patch
> dotslash.patch Type: Plain Text (TEXT/PLAIN)
> Encoding: BASE64
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2002-10-09