On Thu, Jun 28, 2012 at 7:44 AM, Yang Tse <yangsita_at_gmail.com> wrote:
> Tatsuhiro Tsujikawa <tatsuhiro.t_at_gmail.com> wrote:
>
>> The attached patch makes 2012 to 2016 pass.
>
> Pushed now, enabling tests 2012 to 2016
>

Thank you!

>> The test 2017 treats log/.download2017 as invalid.
>> The directory traversals are explicitly prohibited by RFC 5854,
>> we did not make any remarks to file name starting '.'.
>> Should we drop those filenames?
>
> Certainly, or we would leave open lots of attack vectors, given that
> metalink files are given the 'privilege' of specifying path and file
> name of what is finally going to be written to filesystem.
>
> http://tools.ietf.org/html/rfc5854.html#section-4.1.2.1 has a security
> note which I believe could probably be further improved.
>
> Unless we prevent them, potential damage cases that could affect curl
> users when using --metalink option would be for example those
> mentioned in http://tools.ietf.org/html/rfc2183#section-5 and also in
> http://tools.ietf.org/html/rfc6266#section-4.3
>

Agreed.
I changed libmetalink code not to allow '.' in the first character in
path or filename following the last slash.
https://code.launchpad.net/~metalink-dev/libmetalink/trunk

With the latest libmetalink trunk branch, test2017 passed

Best regards,

Tatsuhiro Tsujikawa

> Thanks,
> --
> -=[Yang]=-
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ:        http://curl.haxx.se/docs/faq.html
> Etiquette:  http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-06-28