curl-library
Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')
Date: Fri, 11 Nov 2016 11:40:25 +0100 (CET)
On Fri, 11 Nov 2016, Kamil Dudka wrote:
> I would prefer to get a more descriptive error message saying what exactly
> was matched as the host part and what was expected there for the URL to be
> accepted.
Good point. But since the code hasn't exactly extracted the found hostname
correctly, it's not that easy to show it. How about at least making it say:
failf(data, "Valid host name with slash missing in URL");
The funny phrasing because it actually checks for "localhost/" so the error
string will also be shown for "file://localhost": a file: URL without a
trailing slash.
> One minor nit. Can we write:
>
> if ('/' == ptr[1])
>
> ... instead of:
>
> if(ptr[1] && ('/' == ptr[1]))
It actually has to be changed to
if(ptr[0] && ('/' == ptr[1]))
So that it doesn't read beyond the string for "file://localhost/".
Thanks a lot for the comments. I've attached my updated version.
-- / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
- text/x-diff attachment: v2-0001-URL-parser-for-file-host-URLs-the-host-must-be-lo.patch