curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: [SECURITY ADVISORY] curl invalid URL parsing with '#'

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 7 Nov 2016 08:40:33 +0100 (CET)

On Sun, 6 Nov 2016, Mike Crowe wrote:

> The question now is whether the post-3bb273db7e behaviour of treating
> file://README as file:///README is sensible, or whether such a URL should be
> treated as malformed. I certainly continue to find it confusing that
> file://vmlinuz refers to /vmlinuz but file://etc/passwd refers to /passwd.

Yeah. Ray also arrived basically this point and I must say that right now the
"allow any host name and ignore it policy" is just hurting. The fact that
"file://etc/passwd" is a host name called 'etc' that gets ignored is not
helping anyone.

I (now) think we should enforce the host name check and only allow a blank
host name or 'localhost'. The current very relaxed parser doesn't help anyone,
it just misleads people into believing the wrong thing happens.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-07