From 265b14d6b37c4298bd5556fabcbc37d36f911693 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 1 Jun 2021 16:24:00 +0200 Subject: metalink: remove Warning: this will make existing curl command lines that use metalink to stop working. Reasons for removal: 1. We've found several security problems and issues involving the metalink support in curl. The issues are not detailed here. When working on those, it become apparent to the team that several of the problems are due to the system design, metalink library API and what the metalink RFC says. They are very hard to fix on the curl side only. 2. The metalink usage with curl was only very briefly documented and was not following the "normal" curl usage pattern in several ways, making it surprising and non-intuitive which could lead to further security issues. 3. The metalink library was last updated 6 years ago and wasn't so active the years before that either. An unmaintained library means there's a security problem waiting to happen. This is probably reason enough. 4. Metalink requires an XML parsing library, which is complex code (even the smaller alternatives) and to this day often gets security updates. 5. Metalink is not a widely used curl feature. In the 2020 curl user survey, only 1.4% of the responders said that they'd are using it. In 2021 that number was 1.2%. Searching the web also show very few traces of it being used, even with other tools. 6. The torrent format and associated technology clearly won for downloading large files from multiple sources in parallel. Cloes #7176 --- tests/data/test2017 | 78 ----------------------------------------------------- 1 file changed, 78 deletions(-) delete mode 100644 tests/data/test2017 (limited to 'tests/data/test2017') diff --git a/tests/data/test2017 b/tests/data/test2017 deleted file mode 100644 index 4937c2802..000000000 --- a/tests/data/test2017 +++ /dev/null @@ -1,78 +0,0 @@ -<testcase> -<info> -<keywords> -Metalink -HTTP -HTTP GET -</keywords> -</info> - -# -# Server-side -<reply> -<data nocheck="yes"> -HTTP/1.1 200 OK -Date: Wed, 20 Jun 2012 14:49:00 GMT -Server: test-server/fake -Content-Length: 56 -Connection: close -Content-Type: text/html -Content-Disposition: filename=name%TESTNUMBER; charset=funny; option=strange -Funny-head: yesyes - -Data that should not be delivered from an HTTP resource -</data> -</reply> - -# -# Client-side -<client> -<server> -http -</server> -<features> -file -Metalink -</features> - <name> -Metalink local XML file, attempt Unix home path traversal - </name> -<command option="no-output,no-include"> ---metalink file://%PWD/log/test%TESTNUMBER.metalink -</command> -# local metalink file written before test command runs -<file name="log/test%TESTNUMBER.metalink"> -<?xml version="1.0" encoding="utf-8"?> -<metalink version="3.0" xmlns="http://www.metalinker.org/"> - <files> - <file name="~/download%TESTNUMBER"> - <verification> - <hash type="sha256">c7d03debe90ca29492203ea921d76941fa98640cf3b744f2a16c9b58465eab82</hash> - </verification> - <resources maxconnections="1"> - <url type="http" preference="90">http://%HOSTIP:%HTTPPORT/%TESTNUMBER</url> - </resources> - </file> - </files> -</metalink> -</file> -<postcheck> -perl %SRCDIR/libtest/notexists.pl log/%TESTNUMBER log/name%TESTNUMBER -</postcheck> -</client> - -# -# Verify data after the test has been "shot" -<verify> -<file1 name="log/stdout%TESTNUMBER"> -</file1> -<file2 name="log/stderr%TESTNUMBER" mode="text"> -Metalink: parsing (file://%PWD/log/test%TESTNUMBER.metalink) metalink/XML... -Metalink: parsing (file://%PWD/log/test%TESTNUMBER.metalink) WARNING (missing or invalid file name) -Metalink: parsing (file://%PWD/log/test%TESTNUMBER.metalink) FAILED -</file2> -<stripfile2> -$_ = '' if (($_ !~ /^Metalink: /) && ($_ !~ /error/i) && ($_ !~ /warn/i)) -</stripfile2> -</verify> -</testcase> -- cgit v1.2.1