curl / Mailing Lists / curl-users / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: --remote-header-name security?

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Paul Gilmartin via curl-users <curl-users_at_lists.haxx.se>
Date: Sun, 9 Jan 2022 10:40:08 -0700

On Jan 9, 2022, at 03:16:59, Daniel Stenberg wrote:
>
> --remote-header-name will always trim off the remotely provided directory name before it uses the file name.
> It will save in current directory, or in the given --output-dir.
>
Thanks. So I needn't worry about "rogue" site's supplying
Filename=./../../../../../etc/passwd, etc.

>> Also, what's a good way of testing for --remote-header-name? I'm thinking:
>> curl --remote-header-name --remote-name URL
>> if $?==23 then curl --output tempname URL
>
> That won't work. The --remote-name part will kick in if there's no Content-Disposition header.
>
Thanks; it's good enough for me. I download in an empty temp directory;
no dangerous symlinks. If I get a probable name I move/rename.

Thanks again,
gil

-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Received on 2022-01-09

This message: [ Message body ]
Next message: Daniel Stenberg via curl-users: "Re: --remote-header-name security?"
Previous message: Morten Kjærulff via curl-users: "Re: roadmap 2022 thoughts? (.netrc)"
In reply to: Daniel Stenberg via curl-users: "Re: --remote-header-name security?"
Next in thread: Daniel Stenberg via curl-users: "Re: --remote-header-name security?"
Reply: Daniel Stenberg via curl-users: "Re: --remote-header-name security?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]