cURL / Mailing Lists / curl-library / Single Mail

curl-library

dotdot-Removal in Curl

From: Tom Tom <tomtux007_at_gmail.com>
Date: Thu, 19 Feb 2015 11:26:01 +0100

> I tested one of our website from my linux-client (curl 7.35.0) for an
> directory-traversal issue. I determined, that curl in the version I'm using
> it, is not sending the "../../"-part of the URL in the GET-Request. I was
> confused. I verified, if there are some curl-options to force/allow the
> dot-URL - no success. Then a little bit of google and I reached your blog:
> http://daniel.haxx.se/blog/2013/07/30/dotdot-removal-in-libcurl/
>
> I would appreciate much, if there would be an "on"-option in curl, which
> forces curl to send the dot-URLs in the header. And this just for testing
> our servers/applications for possible vulnerabilities.
>
> Do you see a chance for this?

Sure, I can see us adding an option that would prevent curl from doing that -
if you do the work it is even more likelier to happen soon!

Please take this discussion to the curl-library mailing list!

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2015-02-19

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: dotdot-Removal in Curl"
Previous message: Wenlong Dong: "Re: How to set service name for SPNEGO?"
Next in thread: Daniel Stenberg: "Re: dotdot-Removal in Curl"
Reply: Daniel Stenberg: "Re: dotdot-Removal in Curl"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]