curl / Mailing Lists / curl-library / Single Mail


Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')

From: Daniel Stenberg <>
Date: Fri, 11 Nov 2016 11:40:25 +0100 (CET)

On Fri, 11 Nov 2016, Kamil Dudka wrote:

> I would prefer to get a more descriptive error message saying what exactly
> was matched as the host part and what was expected there for the URL to be
> accepted.

Good point. But since the code hasn't exactly extracted the found hostname
correctly, it's not that easy to show it. How about at least making it say:

   failf(data, "Valid host name with slash missing in URL");

The funny phrasing because it actually checks for "localhost/" so the error
string will also be shown for "file://localhost": a file: URL without a
trailing slash.

> One minor nit. Can we write:
> if ('/' == ptr[1])
> ... instead of:
> if(ptr[1] && ('/' == ptr[1]))

It actually has to be changed to

   if(ptr[0] && ('/' == ptr[1]))

So that it doesn't read beyond the string for "file://localhost/".

Thanks a lot for the comments. I've attached my updated version.


List admin:

Received on 2016-11-11