Daniel,

Sorry about the delay. It looks like the dotslash patch is working fine for me,
with 7.10. Thank you.

On the other hand, the patched 7.10 isn't working against a different server,
which is why it took me awhile to reply. Oddly enough, the server that *isn't*
working properly with 7.10 is an IIS4.0 box, and it's barfing on a dotslash
url. It's odd because that same url & server worked just fine with 7.9.8.

This strengthens my impression that the problem isn't really curl's, but rather
that something changed in the way IIS handles a dotslash url. Probably the "IIS
lockdown tool" that Kevin referred to.

Or it may be a user-induced problem... I may have multiple different curl
fragments beating each other up.

Ralph

Daniel Stenberg wrote:

> On Thu, 3 Oct 2002, Ralph Mitchell wrote:
>
> > I guess if the url starts with ./ it'll be ok to hack it off, or even wait
> > until just before sending out the url and then run along it taking out any
> > ./ that crept in?
>
> I'd rather not. I prefer to let the user be able to put in any kind of weirdo
> input he feels like.
>
> > But I'm afraid that it should probably be more generic than that, right?
> > In the case of the ../ that Kevin mentioned, the next-to-the-left directory
> > name (if there is one) should be removed, then the whole process repeated
> > until either no directory name fall between the server and the ../, or
> > until there are no more ../s. Did that make sense?
>
> This makes sense. I had a go at this just a while ago and attached to this
> mail is a patch that seems to work for me. I also added four test cases that
> proves this to work at least for the most obvious cases.
>
> > I don't suppose there's a 'canonicalise path' function in the C library, is
> > there? That would be just too easy... :)
>
> Correct.
>
> Anyway, please try the attached patch and see if it makes your life sunnier!
> (I made this patch against 7.10, but I bet you can apply it to older sources
> as well, should you want that.)
>
> --
> Daniel Stenberg -- curl related mails on curl related mailing lists please
>
> ------------------------------------------------------------------------
> Name: dotslash.patch
> dotslash.patch Type: Plain Text (TEXT/PLAIN)
> Encoding: BASE64

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2002-10-09