curl-library
Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')
Date: Fri, 11 Nov 2016 10:48:54 +0100
On Friday, November 11, 2016 08:18:25 Daniel Stenberg wrote:
> On Mon, 7 Nov 2016, Daniel Stenberg wrote:
> > I (now) think we should enforce the host name check and only allow a blank
> > host name or 'localhost'. The current very relaxed parser doesn't help
> > anyone, it just misleads people into believing the wrong thing happens.
>
> Here's my suggested patch to make the file:// URL parser stricter. I'm sure
> this will cause someone's code to break so I am certainly listening to
> concerns people might have.
>
> The attached patch makes it so a file://[host]/[path] URL must have the
> [host] part either blank, "localhost" or "127.0.0.1". Anything else
> mentioned as host will cause a CURLE_URL_MALFORMAT return code.
>
> I didn't add "::1" support because that was never mentioned in any spec as
> far as I know, and in the 127.0.0.1 case it isn't using the network anyway,
> it just an alternate way of saying localhost.
>
> All tests still work.
I would prefer to get a more descriptive error message saying what exactly
was matched as the host part and what was expected there for the URL to be
accepted.
One minor nit. Can we write:
if ('/' == ptr[1])
... instead of:
if(ptr[1] && ('/' == ptr[1]))
... ?
Kamil
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-11