Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Metalink support patch for curl

From: Tatsuhiro Tsujikawa <tatsuhiro.t_at_gmail.com>
Date: Sat, 12 May 2012 00:09:57 +0900

On Fri, May 11, 2012 at 5:01 AM, Anthony Bryan <anthonybryan_at_gmail.com> wrote:
> On Tue, May 8, 2012 at 11:28 AM,  <curl-users-request_at_cool.haxx.se> wrote:
>> Message: 1
>> Date: Wed, 9 May 2012 00:28:30 +0900
>> From: Tatsuhiro Tsujikawa <tatsuhiro.t_at_gmail.com>
>> To: the curl tool <curl-users_at_cool.haxx.se>
>> Subject: Re: Metalink support patch for curl
>> Message-ID:
>>        <CAPyZ6=L1At3YREO_y21VtVgYqwt=bEPECBXWpkZuqu_jTmLZzw_at_mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> On Mon, May 7, 2012 at 1:18 AM, Tatsuhiro Tsujikawa
>> <tatsuhiro.t_at_gmail.com> wrote:
>
>> I included above change in the attached patch.
>> I also fixed the issue when content-type has parameters. Now you can download
>> http://openoffice.mirrorbrain.org/stable/3.3.0/OOo-SDK_3.3.0_Linux_x86-64_install-deb_en-US.tar.gz.metalink
>
> thanks, that works for me!
>
> could you also sanitize <file name=""> because I noticed I could use
> <file name="../foo"> or <file name="/root/bar"> and traverse
> directories.
>
> is it possible to have this sanitizing in libmetalink? then it would
> only need to be done once there for any app that uses it. or maybe it
> is better suited to these curl patches, I don't know.
>
> from http://tools.ietf.org/html/rfc5854#section-4.1.2.1
>
>      Security Note: The path MUST NOT contain any directory traversal
>      directives or information.  The path MUST be relative.  The path
>      MUST NOT begin with a "/", "./", or "../"; contain "/../"; or end
>      with "/..".
>

I agree to make this sanitizing in libmetalink. Good idea.

Best regards,

Tatsuhiro Tsujikawa

> --
> (( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
>   )) Easier, More Reliable, Self Healing Downloads
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ:        http://curl.haxx.se/docs/faq.html
> Etiquette:  http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-05-11