On Thu, 3 Oct 2002, Ralph Mitchell wrote:

> I guess if the url starts with ./ it'll be ok to hack it off, or even wait
> until just before sending out the url and then run along it taking out any
> ./ that crept in?

I'd rather not. I prefer to let the user be able to put in any kind of weirdo
input he feels like.

> But I'm afraid that it should probably be more generic than that, right?
> In the case of the ../ that Kevin mentioned, the next-to-the-left directory
> name (if there is one) should be removed, then the whole process repeated
> until either no directory name fall between the server and the ../, or
> until there are no more ../s. Did that make sense?

This makes sense. I had a go at this just a while ago and attached to this
mail is a patch that seems to work for me. I also added four test cases that
proves this to work at least for the most obvious cases.

> I don't suppose there's a 'canonicalise path' function in the C library, is
> there? That would be just too easy... :)

Correct.

Anyway, please try the attached patch and see if it makes your life sunnier!
(I made this patch against 7.10, but I bet you can apply it to older sources
as well, should you want that.)

-- 
 Daniel Stenberg -- curl related mails on curl related mailing lists please

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf