On Tue, May 8, 2012 at 11:28 AM, <curl-users-request_at_cool.haxx.se> wrote:
> Message: 1
> Date: Wed, 9 May 2012 00:28:30 +0900
> From: Tatsuhiro Tsujikawa <tatsuhiro.t_at_gmail.com>
> To: the curl tool <curl-users_at_cool.haxx.se>
> Subject: Re: Metalink support patch for curl
> Message-ID:
>        <CAPyZ6=L1At3YREO_y21VtVgYqwt=bEPECBXWpkZuqu_jTmLZzw_at_mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Mon, May 7, 2012 at 1:18 AM, Tatsuhiro Tsujikawa
> <tatsuhiro.t_at_gmail.com> wrote:

> I included above change in the attached patch.
> I also fixed the issue when content-type has parameters. Now you can download
> http://openoffice.mirrorbrain.org/stable/3.3.0/OOo-SDK_3.3.0_Linux_x86-64_install-deb_en-US.tar.gz.metalink

thanks, that works for me!

could you also sanitize <file name=""> because I noticed I could use
<file name="../foo"> or <file name="/root/bar"> and traverse
directories.

is it possible to have this sanitizing in libmetalink? then it would
only need to be done once there for any app that uses it. or maybe it
is better suited to these curl patches, I don't know.

from http://tools.ietf.org/html/rfc5854#section-4.1.2.1

      Security Note: The path MUST NOT contain any directory traversal
      directives or information. The path MUST be relative. The path
      MUST NOT begin with a "/", "./", or "../"; contain "/../"; or end
      with "/..".

-- 
(( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
  )) Easier, More Reliable, Self Healing Downloads
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html