Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 11 Nov 2016 11:40:25 +0100 (CET)

On Fri, 11 Nov 2016, Kamil Dudka wrote:

> I would prefer to get a more descriptive error message saying what exactly
> was matched as the host part and what was expected there for the URL to be
> accepted.

Good point. But since the code hasn't exactly extracted the found hostname
correctly, it's not that easy to show it. How about at least making it say:

   failf(data, "Valid host name with slash missing in URL");

The funny phrasing because it actually checks for "localhost/" so the error
string will also be shown for "file://localhost": a file: URL without a
trailing slash.

> One minor nit. Can we write:
>
> if ('/' == ptr[1])
>
> ... instead of:
>
> if(ptr[1] && ('/' == ptr[1]))

It actually has to be changed to

   if(ptr[0] && ('/' == ptr[1]))

So that it doesn't read beyond the string for "file://localhost/".

Thanks a lot for the comments. I've attached my updated version. 

-- 
  / daniel.haxx.se

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

Received on 2016-11-11