curl-library
Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')
Date: Wed, 23 Nov 2016 15:28:16 +0100 (CET)
On Wed, 23 Nov 2016, Rich Gray wrote:
> FYI, this Last Call notice for an update to the file:// URI specification,
> RFC 1738, came across another of my lists and might be relevant to this
> thread. Admittedly, I have not followed the thread closely or read the
> draft.
I don't think this new draft speaks against this host name parsing cleanup of
ours.
Section 2 says this:
The "host" is the fully qualified domain name of the system on which
the file is accessible. This allows a client on another system to
know that it cannot access the file system, or perhaps that it needs
to use some other local mechanism to access the file.
As a special case, the "file-auth" rule can match the string
"localhost" which is interpreted as "the machine from which the URI
is being interpreted," exactly as if no authority were present. Some
current usages of the scheme incorrectly interpret all values in the
authority of a file URI, including "localhost", as non-local. Yet
others interpret any value as local, even if the "host" does not
resolve to the local machine. To maximize compatibility with
previous specifications, users MAY choose to include an "auth-path"
with no "file-auth" when creating a URI.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2016-11-23