$ ~/bin/curl -V
curl 7.29.1-DEV (i686-pc-linux-gnu) libcurl/7.29.1-DEV OpenSSL/1.0.1 zlib/
1.2.3.4 libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
pop3s rtmp rtsp smtp smtps telnet tftp
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
Please detail the bug in this report without linking to someone else's explanation.
Daniel,
All those links were in fact created by me so I just included them in the bug report w/o realizing that this report and those posts under different names. Sorry for confusion. I think Michael Wood posted quite a good summary of the problem. Let me know if more details are needed. -Alex
Michael Wood clarified on the curl-library list: http://curl.haxx.se/mail/lib-2013-03/0029.html
Thanks, Michael! That is exactly what is happening.
Raised prio, since it may actually cause some resources to not be possible to fetch even if this bug has always been present in libcurl and it very rarely actually hits users.
I now have some initial work on this going on. May post a patch within a couple of days.
Ok, here's my first take at a patch that removes .. and . sequences from the path. There's also a unit test for the function but I believe it still doesn't handle fragments properly in combination with ../-removal.
Thanks for the report, this fix is now pushed as commit 7877619f856a04. Please try it out. Case closed!