RE: Warning: using file:// on Windows with curl
Date: Mon, 16 Mar 2020 15:14:31 +0000
This thread prompted me to check out RFC 8089: The "file" URI Scheme. Interesting.
TIL that the file:// scheme intentionally supports specifying files on other hosts without a specific protocol. The RFC also discusses using the scheme for representing UNC paths as a "non-standard variation" in Section E.3.
I think it is the right call to consider it a feature not a bug, even though at first I did think it was surprising behavior.
*If* Curl wanted to still treat this as a vulnerability, then I think the only correct approach Curl could take would be to drop support for the file:// URI scheme. One might argue that since file:// does not specify a transfer protocol, it doesn't belong in a transfer tool as a choice of protocol.