curl-library
Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')
Date: Fri, 11 Nov 2016 17:42:50 +0100
On Friday, November 11, 2016 17:17:23 Daniel Stenberg wrote:
> On Fri, 11 Nov 2016, Kamil Dudka wrote:
> > Nope. We need memmove() to translate "localhost/etc/fstab" to "etc/fstab"
> > in URL "file://localhost/etc/fstab". I am asking for an example of a
> > sensible URL that would be parsed differently after applying the following
>
> > patch:
> It doesn't make a difference because I did it wrong (again)! The code before
> this patch is applied avoided two initial slashes with this logic.
>
> To get that slash-skipping back it should instead do:
>
> ptr = &path[9]; /* now points to the slash after the host */
>
> ...
>
> if('/' == ptr[1])
> /* if there was two slashes, we skip the first one as that is then
> used truly as a separator */
> ptr++;
>
> /* This cannot be made with strcpy, as the memory chunks overlap! */
> memmove(path, ptr, strlen(ptr)+1);
Now I finally understand how it was supposed to work and I can confirm that
the latest version works as expected!
Kamil
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-11