curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Warning: using file:// on Windows with curl

From: Paul Gilmartin via curl-users <curl-users_at_cool.haxx.se>
Date: Mon, 16 Mar 2020 10:50:09 -0600

On 2020-03-16, at 09:14:31, Norton, Mike via curl-users <curl-users_at_cool.haxx.se> wrote:
>
> This thread prompted me to check out RFC 8089: The "file" URI Scheme. Interesting.
>
> TIL that the file:// scheme intentionally supports specifying files on other hosts without a specific protocol. The RFC also discusses using the scheme for representing UNC paths as a "non-standard variation" in Section E.3.
>
"Interesting"? I was gobsmacked.

> I think it is the right call to consider it a feature not a bug, even though at first I did think it was surprising behavior.
>
> *If* Curl wanted to still treat this as a vulnerability, then I think the only correct approach Curl could take would be to drop support for the file:// URI scheme. One might argue that since file:// does not specify a transfer protocol, it doesn't belong in a transfer tool as a choice of protocol.
>
Does cURL operate with elevated privileges (not on MacOS nor Linux).
If not, it's purely an OS weakness or firewall defect. Otherwise
there should be an option (perhaps default) to install cURL with
ordinary user privileges.

-- gil

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-03-16