On Sun, May 13, 2012 at 9:28 PM, Tatsuhiro Tsujikawa
<tatsuhiro.t_at_gmail.com> wrote:
> On Sat, May 12, 2012 at 12:09 AM, Tatsuhiro Tsujikawa
> <tatsuhiro.t_at_gmail.com> wrote:
>> On Fri, May 11, 2012 at 5:01 AM, Anthony Bryan <anthonybryan_at_gmail.com> wrote:
>>> On Tue, May 8, 2012 at 11:28 AM,  <curl-users-request_at_cool.haxx.se> wrote:
>>>> Message: 1
>>>> Date: Wed, 9 May 2012 00:28:30 +0900
>>>> From: Tatsuhiro Tsujikawa <tatsuhiro.t_at_gmail.com>
>>>> To: the curl tool <curl-users_at_cool.haxx.se>
>>>> Subject: Re: Metalink support patch for curl
>>>> Message-ID:
>>>>        <CAPyZ6=L1At3YREO_y21VtVgYqwt=bEPECBXWpkZuqu_jTmLZzw_at_mail.gmail.com>
>>>> Content-Type: text/plain; charset="iso-8859-1"
>>>>
>>>> On Mon, May 7, 2012 at 1:18 AM, Tatsuhiro Tsujikawa
>>>> <tatsuhiro.t_at_gmail.com> wrote:
>>>
>>>> I included above change in the attached patch.
>>>> I also fixed the issue when content-type has parameters. Now you can download
>>>> http://openoffice.mirrorbrain.org/stable/3.3.0/OOo-SDK_3.3.0_Linux_x86-64_install-deb_en-US.tar.gz.metalink
>>>
>>> thanks, that works for me!
>>>
>>> could you also sanitize <file name=""> because I noticed I could use
>>> <file name="../foo"> or <file name="/root/bar"> and traverse
>>> directories.
>>>
>>> is it possible to have this sanitizing in libmetalink? then it would
>>> only need to be done once there for any app that uses it. or maybe it
>>> is better suited to these curl patches, I don't know.
>>>
>>> from http://tools.ietf.org/html/rfc5854#section-4.1.2.1
>>>
>>>      Security Note: The path MUST NOT contain any directory traversal
>>>      directives or information.  The path MUST be relative.  The path
>>>      MUST NOT begin with a "/", "./", or "../"; contain "/../"; or end
>>>      with "/..".
>>>
>>
>> I agree to make this sanitizing in libmetalink. Good idea.
>>
>
> Fixed in libmetalink trunk.
>

I fixed the bug that causes segmentation fault if name attribute of
file element in Metalink is invalid (e.g., name starts with "../") and
as a result there are nothing download.
I also fixed the same bug when the number of resources is 0.

In addition to the above fixes, I added the code to always create
directory hierarchy for Metalink download.
The directory hierarchy creation is needed because name attribute of
file element in Metalink contains directory information. The next
libmetalink release will ensure that name element is relative and must
not contain directory traversal directives.

Patch attached.

Best regards,

Tatsuhiro Tsujikawa

> Best regards,
>
> Tatsuhiro Tsujikawa
>
>> Best regards,
>>
>> Tatsuhiro Tsujikawa
>>
>>> --
>>> (( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
>>>   )) Easier, More Reliable, Self Healing Downloads
>>>
>>> -------------------------------------------------------------------
>>> List admin: http://cool.haxx.se/list/listinfo/curl-users
>>> FAQ:        http://curl.haxx.se/docs/faq.html
>>> Etiquette:  http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html