curl-users
Re: Metalink support patch for curl
Date: Sun, 13 May 2012 21:28:07 +0900
On Sat, May 12, 2012 at 12:09 AM, Tatsuhiro Tsujikawa
<tatsuhiro.t_at_gmail.com> wrote:
> On Fri, May 11, 2012 at 5:01 AM, Anthony Bryan <anthonybryan_at_gmail.com> wrote:
>> On Tue, May 8, 2012 at 11:28 AM, <curl-users-request_at_cool.haxx.se> wrote:
>>> Message: 1
>>> Date: Wed, 9 May 2012 00:28:30 +0900
>>> From: Tatsuhiro Tsujikawa <tatsuhiro.t_at_gmail.com>
>>> To: the curl tool <curl-users_at_cool.haxx.se>
>>> Subject: Re: Metalink support patch for curl
>>> Message-ID:
>>> <CAPyZ6=L1At3YREO_y21VtVgYqwt=bEPECBXWpkZuqu_jTmLZzw_at_mail.gmail.com>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> On Mon, May 7, 2012 at 1:18 AM, Tatsuhiro Tsujikawa
>>> <tatsuhiro.t_at_gmail.com> wrote:
>>
>>> I included above change in the attached patch.
>>> I also fixed the issue when content-type has parameters. Now you can download
>>> http://openoffice.mirrorbrain.org/stable/3.3.0/OOo-SDK_3.3.0_Linux_x86-64_install-deb_en-US.tar.gz.metalink
>>
>> thanks, that works for me!
>>
>> could you also sanitize <file name=""> because I noticed I could use
>> <file name="../foo"> or <file name="/root/bar"> and traverse
>> directories.
>>
>> is it possible to have this sanitizing in libmetalink? then it would
>> only need to be done once there for any app that uses it. or maybe it
>> is better suited to these curl patches, I don't know.
>>
>> from http://tools.ietf.org/html/rfc5854#section-4.1.2.1
>>
>> Security Note: The path MUST NOT contain any directory traversal
>> directives or information. The path MUST be relative. The path
>> MUST NOT begin with a "/", "./", or "../"; contain "/../"; or end
>> with "/..".
>>
>
> I agree to make this sanitizing in libmetalink. Good idea.
>
Fixed in libmetalink trunk.
Best regards,
Tatsuhiro Tsujikawa
> Best regards,
>
> Tatsuhiro Tsujikawa
>
>> --
>> (( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
>> )) Easier, More Reliable, Self Healing Downloads
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-users
>> FAQ: http://curl.haxx.se/docs/faq.html
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-05-13