curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: stricter host name requirements for file:// URLs (was Re: [SECURITY ADVISORY] curl invalid URL parsing with '#')

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 23 Nov 2016 15:28:16 +0100 (CET)

On Wed, 23 Nov 2016, Rich Gray wrote:

> FYI, this Last Call notice for an update to the file:// URI specification,
> RFC 1738, came across another of my lists and might be relevant to this
> thread. Admittedly, I have not followed the thread closely or read the
> draft.

I don't think this new draft speaks against this host name parsing cleanup of
ours.

Section 2 says this:

    The "host" is the fully qualified domain name of the system on which
    the file is accessible. This allows a client on another system to
    know that it cannot access the file system, or perhaps that it needs
    to use some other local mechanism to access the file.

    As a special case, the "file-auth" rule can match the string
    "localhost" which is interpreted as "the machine from which the URI
    is being interpreted," exactly as if no authority were present. Some
    current usages of the scheme incorrectly interpret all values in the
    authority of a file URI, including "localhost", as non-local. Yet
    others interpret any value as local, even if the "host" does not
    resolve to the local machine. To maximize compatibility with
    previous specifications, users MAY choose to include an "auth-path"
    with no "file-auth" when creating a URI.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-11-23