Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Limit the URL size more?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-library <curl-library_at_lists.haxx.se>
Date: Sun, 14 Dec 2025 21:09:46 -0500
On Sun, Dec 14, 2025 at 6:11 PM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Sun, 14 Dec 2025, Jeffrey Walton wrote:
>
> > When using cURL as a user agent or client, I think this is a layering
> > violation. cURL should not be fiddling with URLs in general, and dots
> > in particular since a dot is not something that needs to be encoded in
> > HTML URLs anyways.
>
> https://datatracker.ietf.org/doc/html/rfc3986#section-5.2.4
The language in the RFC is weak. There are lots of SHOULDs, and not many MUSTs.
How does cURL know -- when acting as a client or user agent -- that
the assumptions for a generic parser hold so the reference
implementation from Section 5 is valid? That's only something the
target server would know.
The easiest proof by counterexample is a web server with index.html
and image.jpeg in the document root. A url of
http://www.example.com/image/../image.jpeg should result in an invalid
path at the server and return an error to the client since there is no
image/ subdirectory at document root. The transformation from
http://www.example.com/image/../image.jpeg to
http://www.example.com/image.jpeg should not happen at the client or
user agent.
And the companion example is a secret knock. Suppose a webmaster
wants to use a non-existent knock/ directory to validate a request:
http://www.example.com/knock/../knock/..knock/../index.html. cURL
does not have enough information to know the local policies of the
webmaster at the target server to make the transformation.
Jeff
Date: Sun, 14 Dec 2025 21:09:46 -0500
On Sun, Dec 14, 2025 at 6:11 PM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Sun, 14 Dec 2025, Jeffrey Walton wrote:
>
> > When using cURL as a user agent or client, I think this is a layering
> > violation. cURL should not be fiddling with URLs in general, and dots
> > in particular since a dot is not something that needs to be encoded in
> > HTML URLs anyways.
>
> https://datatracker.ietf.org/doc/html/rfc3986#section-5.2.4
The language in the RFC is weak. There are lots of SHOULDs, and not many MUSTs.
How does cURL know -- when acting as a client or user agent -- that
the assumptions for a generic parser hold so the reference
implementation from Section 5 is valid? That's only something the
target server would know.
The easiest proof by counterexample is a web server with index.html
and image.jpeg in the document root. A url of
http://www.example.com/image/../image.jpeg should result in an invalid
path at the server and return an error to the client since there is no
image/ subdirectory at document root. The transformation from
http://www.example.com/image/../image.jpeg to
http://www.example.com/image.jpeg should not happen at the client or
user agent.
And the companion example is a secret knock. Suppose a webmaster
wants to use a non-existent knock/ directory to validate a request:
http://www.example.com/knock/../knock/..knock/../index.html. cURL
does not have enough information to know the local policies of the
webmaster at the target server to make the transformation.
Jeff
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-12-15