curl / Mailing Lists / curl-library / Single Mail

curl-library

stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 11 Nov 2016 08:18:25 +0100 (CET)

On Mon, 7 Nov 2016, Daniel Stenberg wrote:

> I (now) think we should enforce the host name check and only allow a blank
> host name or 'localhost'. The current very relaxed parser doesn't help
> anyone, it just misleads people into believing the wrong thing happens.

Here's my suggested patch to make the file:// URL parser stricter. I'm sure
this will cause someone's code to break so I am certainly listening to
concerns people might have.

The attached patch makes it so a file://[host]/[path] URL must have the [host]
part either blank, "localhost" or "127.0.0.1". Anything else mentioned as host
will cause a CURLE_URL_MALFORMAT return code.

I didn't add "::1" support because that was never mentioned in any spec as far
as I know, and in the 127.0.0.1 case it isn't using the network anyway, it
just an alternate way of saying localhost.

All tests still work.

-- 
  / daniel.haxx.se


-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

Received on 2016-11-11