curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 11 Nov 2016 11:40:25 +0100 (CET)

On Fri, 11 Nov 2016, Kamil Dudka wrote:

> I would prefer to get a more descriptive error message saying what exactly
> was matched as the host part and what was expected there for the URL to be
> accepted.

Good point. But since the code hasn't exactly extracted the found hostname
correctly, it's not that easy to show it. How about at least making it say:

   failf(data, "Valid host name with slash missing in URL");

The funny phrasing because it actually checks for "localhost/" so the error
string will also be shown for "file://localhost": a file: URL without a
trailing slash.

> One minor nit. Can we write:
>
> if ('/' == ptr[1])
>
> ... instead of:
>
> if(ptr[1] && ('/' == ptr[1]))

It actually has to be changed to

   if(ptr[0] && ('/' == ptr[1]))

So that it doesn't read beyond the string for "file://localhost/".

Thanks a lot for the comments. I've attached my updated version.

-- 
  / daniel.haxx.se


-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

Received on 2016-11-11