cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Metalink support patch for curl

From: Yang Tse <yangsita_at_gmail.com>
Date: Thu, 28 Jun 2012 00:44:32 +0200

Tatsuhiro Tsujikawa <tatsuhiro.t_at_gmail.com> wrote:

> The attached patch makes 2012 to 2016 pass.

Pushed now, enabling tests 2012 to 2016

> The test 2017 treats log/.download2017 as invalid.
> The directory traversals are explicitly prohibited by RFC 5854,
> we did not make any remarks to file name starting '.'.
> Should we drop those filenames?

Certainly, or we would leave open lots of attack vectors, given that
metalink files are given the 'privilege' of specifying path and file
name of what is finally going to be written to filesystem.

http://tools.ietf.org/html/rfc5854.html#section-4.1.2.1 has a security
note which I believe could probably be further improved.

Unless we prevent them, potential damage cases that could affect curl
users when using --metalink option would be for example those
mentioned in http://tools.ietf.org/html/rfc2183#section-5 and also in
http://tools.ietf.org/html/rfc6266#section-4.3

Thanks,

-- 
-=[Yang]=-
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2012-06-28

This message: [ Message body ]
Next message: gerd: "looking for scripter"
Previous message: Marco A. Cruz Quevedo: "Program too big to fit in memory"
In reply to: Tatsuhiro Tsujikawa: "Re: Metalink support patch for curl"
Next in thread: gerd: "looking for scripter"
Reply: gerd: "looking for scripter"
Reply: Tatsuhiro Tsujikawa: "Re: Metalink support patch for curl"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]