diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2016-11-11 08:09:04 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2016-11-11 17:14:45 +0100 |
| commit | 346340808c89db33803ef7461dee191ff7c3d07f (patch) | |
| tree | 569e90dc90b26115967ba813a75fefaf86df5583 /lib/url.c | |
| parent | 8c15e0de6f70e48eafe9e5b986f032c17dd88e07 (diff) | |
| download | curl-346340808c89db33803ef7461dee191ff7c3d07f.tar.gz | |
URL-parser: for file://[host]/ URLs, the [host] must be localhost
Previously, the [host] part was just ignored which made libcurl accept
strange URLs misleading users. like "file://etc/passwd" which might've
looked like it refers to "/etc/passwd" but is just "/passwd" since the
"etc" is an ignored host name.
Reported-by: Mike Crowe
Assisted-by: Kamil Dudka
Diffstat (limited to 'lib/url.c')
| -rw-r--r-- | lib/url.c | 55 |
1 files changed, 30 insertions, 25 deletions
@@ -4068,33 +4068,38 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, * the URL protocols specified in RFC 1738 */ if(path[0] != '/') { - /* the URL included a host name, we ignore host names in file:// URLs - as the standards don't define what to do with them */ - char *ptr=strchr(path, '/'); - if(ptr) { - /* there was a slash present - - RFC1738 (section 3.1, page 5) says: - - The rest of the locator consists of data specific to the scheme, - and is known as the "url-path". It supplies the details of how the - specified resource can be accessed. Note that the "/" between the - host (or port) and the url-path is NOT part of the url-path. - - As most agents use file://localhost/foo to get '/foo' although the - slash preceding foo is a separator and not a slash for the path, - a URL as file://localhost//foo must be valid as well, to refer to - the same file with an absolute path. - */ + /* the URL includes a host name, it must match "localhost" or + "127.0.0.1" to be valid */ + char *ptr; + if(!checkprefix("localhost/", path) && + !checkprefix("127.0.0.1/", path)) { + failf(data, "Valid host name with slash missing in URL"); + return CURLE_URL_MALFORMAT; + } + ptr = &path[9]; /* now points to the slash after the host */ - if(ptr[1] && ('/' == ptr[1])) - /* if there was two slashes, we skip the first one as that is then - used truly as a separator */ - ptr++; + /* there was a host name and slash present - /* This cannot be made with strcpy, as the memory chunks overlap! */ - memmove(path, ptr, strlen(ptr)+1); - } + RFC1738 (section 3.1, page 5) says: + + The rest of the locator consists of data specific to the scheme, + and is known as the "url-path". It supplies the details of how the + specified resource can be accessed. Note that the "/" between the + host (or port) and the url-path is NOT part of the url-path. + + As most agents use file://localhost/foo to get '/foo' although the + slash preceding foo is a separator and not a slash for the path, + a URL as file://localhost//foo must be valid as well, to refer to + the same file with an absolute path. + */ + + if('/' == ptr[1]) + /* if there was two slashes, we skip the first one as that is then + used truly as a separator */ + ptr++; + + /* This cannot be made with strcpy, as the memory chunks overlap! */ + memmove(path, ptr, strlen(ptr)+1); } protop = "file"; /* protocol string */ |