curl / Mailing Lists / curl-library / Single Mail


stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')

From: Daniel Stenberg <>
Date: Fri, 11 Nov 2016 08:18:25 +0100 (CET)

On Mon, 7 Nov 2016, Daniel Stenberg wrote:

> I (now) think we should enforce the host name check and only allow a blank
> host name or 'localhost'. The current very relaxed parser doesn't help
> anyone, it just misleads people into believing the wrong thing happens.

Here's my suggested patch to make the file:// URL parser stricter. I'm sure
this will cause someone's code to break so I am certainly listening to
concerns people might have.

The attached patch makes it so a file://[host]/[path] URL must have the [host]
part either blank, "localhost" or "". Anything else mentioned as host
will cause a CURLE_URL_MALFORMAT return code.

I didn't add "::1" support because that was never mentioned in any spec as far
as I know, and in the case it isn't using the network anyway, it
just an alternate way of saying localhost.

All tests still work.


List admin:

Received on 2016-11-11