curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Request to revert Windows path restrictions

From: Chris Roberts via curl-users <>
Date: Fri, 10 Apr 2020 10:11:31 -0700


I have been running into some issues with the new changes included to
address CVE-2019-15601. After reading through the original CVE, I'm
not sure that I agree it is an issue with curl, nor do I believe it is
an issue which curl should be responsible for addressing. After
reading through some of the archives on this list, I found the thread:

"Warning: using file:// on Windows with curl"

That thread seemed to pretty well sum up my feelings around the change
implemented with regards to the reported CVE. It doesn't really seem
to be an issue with curl, and if it actually is an issue, it seems to
be more of an issue with Windows itself. Any other tool or application
that loads file paths will have the same behavior as described by the

The request to revert the change:

is due to the fact that this change seems to result in an added
restriction to functionality (breaking functionality which was
previously working) without any significant gain. Network paths can
still be accessed in other ways, and as the documentation now states,
if that type of behavior is unacceptable then the file protocol should
be disabled. But for use cases where the file protocol is desired on
Windows, the restriction on paths with a double slash prefix is
breaking the expected behavior (in this case "expected behavior" being
both handling valid Windows paths and curl's previous behavior until
this changeset). Is reverting the behavior back to its original state
something that would be acceptable?

Thanks so much!

- Chris
Received on 2020-04-10