Re: Warning: using file:// on Windows with curl
Date: Mon, 16 Mar 2020 10:50:09 -0600
On 2020-03-16, at 09:14:31, Norton, Mike via curl-users <curl-users_at_cool.haxx.se> wrote:
> This thread prompted me to check out RFC 8089: The "file" URI Scheme. Interesting.
> TIL that the file:// scheme intentionally supports specifying files on other hosts without a specific protocol. The RFC also discusses using the scheme for representing UNC paths as a "non-standard variation" in Section E.3.
"Interesting"? I was gobsmacked.
> I think it is the right call to consider it a feature not a bug, even though at first I did think it was surprising behavior.
> *If* Curl wanted to still treat this as a vulnerability, then I think the only correct approach Curl could take would be to drop support for the file:// URI scheme. One might argue that since file:// does not specify a transfer protocol, it doesn't belong in a transfer tool as a choice of protocol.
Does cURL operate with elevated privileges (not on MacOS nor Linux).
If not, it's purely an OS weakness or firewall defect. Otherwise
there should be an option (perhaps default) to install cURL with
ordinary user privileges.