Date: Sun, 2 Sep 2007 01:12:55 GMT From: Howard Chu <hyc@openldap.org> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/116005: libfetch accepts invalid URLs Message-ID: <200709020112.l821CtU5079593@www.freebsd.org> Resent-Message-ID: <200709020120.l821K3mv050038@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 116005 >Category: bin >Synopsis: libfetch accepts invalid URLs >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Sep 02 01:20:03 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Howard Chu >Release: 6.2 >Organization: OpenLDAP Project >Environment: FreeBSD hurdy.localdomain 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007 root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: The URL parser in libfetch does not enforce the RFC1738 syntax, and it seems to have no clue about RFC1808. Most likely the code needs to be refreshed in terms of RFC2396. The URL syntax specifies that URLs with the form "scheme://authority" may only be followed by an absolute path, if anything. Thus file:///tmp/junk is valid (references "/tmp/junk") libfetch also allows references like file://./foo/bar (which references "./foo/bar") But the URI syntax does not allow relative paths to follow an authority spec. The old BNF allows "file:./foo/bar" for relative references, although RFC2396 says this form is deprecated. libfetch doesn't allow this form. RFC2396 also allows "./foo/bar" for relative references, and libfetch fails there as well. I guess in typical use, retrieving remote resources, it doesn't make sense for libfetch to handle relative URIs, unless you add an API for setting the base URI. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709020112.l821CtU5079593>