curl / Mailing Lists / curl-library / Single Mail


Re: [SECURITY ADVISORY] curl invalid URL parsing with '#'

From: Daniel Stenberg <>
Date: Mon, 7 Nov 2016 08:40:33 +0100 (CET)

On Sun, 6 Nov 2016, Mike Crowe wrote:

> The question now is whether the post-3bb273db7e behaviour of treating
> file://README as file:///README is sensible, or whether such a URL should be
> treated as malformed. I certainly continue to find it confusing that
> file://vmlinuz refers to /vmlinuz but file://etc/passwd refers to /passwd.

Yeah. Ray also arrived basically this point and I must say that right now the
"allow any host name and ignore it policy" is just hurting. The fact that
"file://etc/passwd" is a host name called 'etc' that gets ignored is not
helping anyone.

I (now) think we should enforce the host name check and only allow a blank
host name or 'localhost'. The current very relaxed parser doesn't help anyone,
it just misleads people into believing the wrong thing happens.

List admin:
Received on 2016-11-07