curl-library
Re: [SECURITY ADVISORY] curl invalid URL parsing with '#'
Date: Mon, 7 Nov 2016 08:40:33 +0100 (CET)
On Sun, 6 Nov 2016, Mike Crowe wrote:
> The question now is whether the post-3bb273db7e behaviour of treating
> file://README as file:///README is sensible, or whether such a URL should be
> treated as malformed. I certainly continue to find it confusing that
> file://vmlinuz refers to /vmlinuz but file://etc/passwd refers to /passwd.
Yeah. Ray also arrived basically this point and I must say that right now the
"allow any host name and ignore it policy" is just hurting. The fact that
"file://etc/passwd" is a host name called 'etc' that gets ignored is not
helping anyone.
I (now) think we should enforce the host name check and only allow a blank
host name or 'localhost'. The current very relaxed parser doesn't help anyone,
it just misleads people into believing the wrong thing happens.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2016-11-07