From 93d20cffd3b6b8dc9705f3252c09c9269d8ac705 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 11 Nov 2016 08:09:04 +0100
Subject: [PATCH 2/2] URL-parser: for file://[host]/ URLs, the [host] must be
localhost
Previously, the [host] part was just ignored which made libcurl accept
strange URLs misleading users. like "file://etc/passwd" which might've
looked like it refers to "/etc/passwd" but is just "/passwd" since the
"etc" is an ignored host name.
Reported-by: Mike Crowe
Assisted-by: Kamil Dudka
Upstream-commit: 346340808c89db33803ef7461dee191ff7c3d07f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 55 ++++++++++++++++++++++++++++++-------------------------
1 file changed, 30 insertions(+), 25 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index b997f41..9a8f6e3 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4065,33 +4065,38 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
* the URL protocols specified in RFC 1738
*/
if(path[0] != '/') {
- /* the URL included a host name, we ignore host names in file:// URLs
- as the standards don't define what to do with them */
- char *ptr=strchr(path, '/');
- if(ptr) {
- /* there was a slash present
-
- RFC1738 (section 3.1, page 5) says:
-
- The rest of the locator consists of data specific to the scheme,
- and is known as the "url-path". It supplies the details of how the
- specified resource can be accessed. Note that the "/" between the
- host (or port) and the url-path is NOT part of the url-path.
-
- As most agents use file://localhost/foo to get '/foo' although the
- slash preceding foo is a separator and not a slash for the path,
- a URL as file://localhost//foo must be valid as well, to refer to
- the same file with an absolute path.
- */
+ /* the URL includes a host name, it must match "localhost" or
+ "127.0.0.1" to be valid */
+ char *ptr;
+ if(!checkprefix("localhost/", path) &&
+ !checkprefix("127.0.0.1/", path)) {
+ failf(data, "Valid host name with slash missing in URL");
+ return CURLE_URL_MALFORMAT;
+ }
+ ptr = &path[9]; /* now points to the slash after the host */
- if(ptr[1] && ('/' == ptr[1]))
- /* if there was two slashes, we skip the first one as that is then
- used truly as a separator */
- ptr++;
+ /* there was a host name and slash present
- /* This cannot be made with strcpy, as the memory chunks overlap! */
- memmove(path, ptr, strlen(ptr)+1);
- }
+ RFC1738 (section 3.1, page 5) says:
+
+ The rest of the locator consists of data specific to the scheme,
+ and is known as the "url-path". It supplies the details of how the
+ specified resource can be accessed. Note that the "/" between the
+ host (or port) and the url-path is NOT part of the url-path.
+
+ As most agents use file://localhost/foo to get '/foo' although the
+ slash preceding foo is a separator and not a slash for the path,
+ a URL as file://localhost//foo must be valid as well, to refer to
+ the same file with an absolute path.
+ */
+
+ if('/' == ptr[1])
+ /* if there was two slashes, we skip the first one as that is then
+ used truly as a separator */
+ ptr++;
+
+ /* This cannot be made with strcpy, as the memory chunks overlap! */
+ memmove(path, ptr, strlen(ptr)+1);
}
protop = "file"; /* protocol string */
--
2.7.4