curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 11 Nov 2016 17:17:23 +0100 (CET)

On Fri, 11 Nov 2016, Kamil Dudka wrote:

> Nope. We need memmove() to translate "localhost/etc/fstab" to "etc/fstab"
> in URL "file://localhost/etc/fstab". I am asking for an example of a
> sensible URL that would be parsed differently after applying the following
> patch:

It doesn't make a difference because I did it wrong (again)! The code before
this patch is applied avoided two initial slashes with this logic.

To get that slash-skipping back it should instead do:

       ptr = &path[9]; /* now points to the slash after the host */

       ...

       if('/' == ptr[1])
         /* if there was two slashes, we skip the first one as that is then
            used truly as a separator */
         ptr++;

       /* This cannot be made with strcpy, as the memory chunks overlap! */
       memmove(path, ptr, strlen(ptr)+1);

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-11