stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')
Date: Fri, 11 Nov 2016 08:18:25 +0100 (CET)
On Mon, 7 Nov 2016, Daniel Stenberg wrote:
> I (now) think we should enforce the host name check and only allow a blank
> host name or 'localhost'. The current very relaxed parser doesn't help
> anyone, it just misleads people into believing the wrong thing happens.
Here's my suggested patch to make the file:// URL parser stricter. I'm sure
this will cause someone's code to break so I am certainly listening to
concerns people might have.
The attached patch makes it so a file://[host]/[path] URL must have the [host]
part either blank, "localhost" or "127.0.0.1". Anything else mentioned as host
will cause a CURLE_URL_MALFORMAT return code.
I didn't add "::1" support because that was never mentioned in any spec as far
as I know, and in the 127.0.0.1 case it isn't using the network anyway, it
just an alternate way of saying localhost.
All tests still work.
-- / daniel.haxx.se
- text/x-diff attachment: 0001-URL-parser-for-file-host-URLs-the-host-must-be-local.patch