curl / Mailing Lists / curl-library / Single Mail


Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')

From: Kamil Dudka <>
Date: Fri, 11 Nov 2016 10:48:54 +0100

On Friday, November 11, 2016 08:18:25 Daniel Stenberg wrote:
> On Mon, 7 Nov 2016, Daniel Stenberg wrote:
> > I (now) think we should enforce the host name check and only allow a blank
> > host name or 'localhost'. The current very relaxed parser doesn't help
> > anyone, it just misleads people into believing the wrong thing happens.
> Here's my suggested patch to make the file:// URL parser stricter. I'm sure
> this will cause someone's code to break so I am certainly listening to
> concerns people might have.
> The attached patch makes it so a file://[host]/[path] URL must have the
> [host] part either blank, "localhost" or "". Anything else
> mentioned as host will cause a CURLE_URL_MALFORMAT return code.
> I didn't add "::1" support because that was never mentioned in any spec as
> far as I know, and in the case it isn't using the network anyway,
> it just an alternate way of saying localhost.
> All tests still work.

I would prefer to get a more descriptive error message saying what exactly
was matched as the host part and what was expected there for the URL to be

One minor nit. Can we write:

    if ('/' == ptr[1])

... instead of:

    if(ptr[1] && ('/' == ptr[1]))

... ?

List admin:
Received on 2016-11-11