curl-library
Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')
Date: Fri, 11 Nov 2016 17:17:23 +0100 (CET)
On Fri, 11 Nov 2016, Kamil Dudka wrote:
> Nope. We need memmove() to translate "localhost/etc/fstab" to "etc/fstab"
> in URL "file://localhost/etc/fstab". I am asking for an example of a
> sensible URL that would be parsed differently after applying the following
> patch:
It doesn't make a difference because I did it wrong (again)! The code before
this patch is applied avoided two initial slashes with this logic.
To get that slash-skipping back it should instead do:
ptr = &path[9]; /* now points to the slash after the host */
...
if('/' == ptr[1])
/* if there was two slashes, we skip the first one as that is then
used truly as a separator */
ptr++;
/* This cannot be made with strcpy, as the memory chunks overlap! */
memmove(path, ptr, strlen(ptr)+1);
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2016-11-11