curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

RE: Warning: using file:// on Windows with curl

From: Norton, Mike via curl-users <curl-users_at_cool.haxx.se>
Date: Mon, 16 Mar 2020 15:14:31 +0000

This thread prompted me to check out RFC 8089: The "file" URI Scheme. Interesting.

TIL that the file:// scheme intentionally supports specifying files on other hosts without a specific protocol. The RFC also discusses using the scheme for representing UNC paths as a "non-standard variation" in Section E.3.

I think it is the right call to consider it a feature not a bug, even though at first I did think it was surprising behavior.

*If* Curl wanted to still treat this as a vulnerability, then I think the only correct approach Curl could take would be to drop support for the file:// URI scheme. One might argue that since file:// does not specify a transfer protocol, it doesn't belong in a transfer tool as a choice of protocol.

-mn

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-03-16