Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Version numbers curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [SECURITY ADVISORY] curl invalid URL parsing with '#'

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sun, 6 Nov 2016 13:40:58 +0100 (CET)

On Fri, 4 Nov 2016, Mike Crowe wrote:

> Rightly or wrongly, we've used URLs like "file://test.txt" in many of our
> unit tests which are now failing. :(

First: I don't think it is clear in any spec that local file:// URLs actually
work.

I reverted the 3bb273db7e commit in a local branch and tested what exactly
worked with a relative path before this change. It turns out it works in one
specific case and it doesn't work for a lot of others that should work if we'd
consider file: paths to be fully relative.

Works: you can get a file in the current directory if you used a messed up
URL (tests run in the curl source tree root):

   $ ./src/curl file://README

But note that file: URLs have a hostname that can be blank after the two
slashes so for the URL to be perfectly nicely formatted it should actually be
file://localhost/README spelled out fully or file:///README with the host name
inhibited.

These don't work:

   $ ./src/curl file://localhost/README
   curl: (37) Couldn't open file /README

   $ ./src/curl file:///README
   curl: (37) Couldn't open file /README

... or why not try a file in a subdirectory relative to where we invoke curl
with the initial funny two-slashes URL format:

   $ ./src/curl file://docs/README.md
   curl: (37) Couldn't open file /README.md

and just to make sure that using three slashes doesn't magically fix this
case:

   $ ./src/curl file:///docs/README.md
   curl: (37) Couldn't open file /docs/README.md

Conclusion:

file:// didn't work very good for relaive file paths before this commit
either, only in a single case for exactly the current directory. The story is
now much more consistent since all cases seem to work the same way.

I'm leaning to say that you should rather insert pwd somewhere, like this:

   $ ./src/curl file://`pwd`/docs/README.md

   or

   $ ./src/curl file://`pwd`/README

... which both should work fine, both before and after commit 3bb273db7e. 

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-06