cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Patch to use filename from Content-disposition header

From: Björn Stenberg <bjorn_at_haxx.se>
Date: Mon, 11 Jan 2010 21:45:01 +0100

Kamil Dudka wrote:
> + /* FIXME: are we ready for more than one '/'? - possible attack */

We only use the filname portion of any path, so any possible attack is just as possible without using / at all.

> - As for the parser, I've encountered a bug on the first URL I tried.
> Generally it is supposed to do sort of regex matching, right?

I don't actually remember why I did the "manual" string compare in the first place... :-O Here's a new patch with header_callback() changed to use memcmp(), fixes some string boundary issues and addresses all your comments (although a few const changes are reversed since they caused compiler warnings).

The patch also contains a paragraph for the man page. I've been looking at adding some test cases too, but it requires a bit of refactoring of the test framework since it currently is not designed to handle -O.

Thank you for reviewing and testing!

-- 
Björn
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-01-11