-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BC breaching behavior change in URL parsing with file:// scheme on Windows. #1187
Comments
Previously, the [host] part was just ignored which made libcurl accept strange URLs misleading users. like "file://etc/passwd" which might've looked like it refers to "/etc/passwd" but is just "/passwd" since the "etc" is an ignored host name. Reported-by: Mike Crowe Assisted-by: Kamil Dudka
After the initial two slashes comes a hostname or nothing at all. Putting the directory name immediately following the two slashes was always wrong and is shown by the browsers correcting it to the three slashes version. Is there a reason why you can't just fix the PHP tests to instead use three slashes instead of two?
We learned that the previous approached mislead users so it had "a high breach potential" and now many months after the change you say the change is bad. How do you then suggest we do this in a way that doesn't mislead users and yet keeps old users using the wrong syntax happy? |
It is true that the browsers do adjust for Windows paths like file://c:/tmp => file:///c:/tmp where in Linux something like file://tmp is just bad format. Related is an issue I have yet to fix with the |
Currently 7.51.0 is used in PHP, so that's not far ago, not many months. Seems the change was introduced in the subsequent version, which had a followup short after. OFC, there's no upgrade to every version, but you see it's quite close to the latest. I was not telling that the change is bad, and you see it also in the description :) I'm only telling, that there's a BC breach. Fe imagine there are two paths like If it stays by the current handling, it'll probably have to be worked around internally in PHP by auto correcting the supplied URL, which costs some processor cycles OFC. Even then, one branch goes into the security only mode soon, so there'll be no time to put a fix and ensure the stability, so we'd have to stick to a patched libs versions :( I fully understand, that you don't have to care about any third party things depending on libcurl. I think fixing tests is inconvenient, as tests are not only in PHP core, but also in any arbitrary frameworks, etc. and quite possibly some patterns are in use in the running PHP code. This is a Windows specific thing, and the only this specific case, that I'd suggest to handle same way as browsers do. AFM, it's suitable to keep this backward compatibility piece, otherwise please ignore the noise. Thanks. |
(I was referring to commit 3463408, which is almost two months old by now. But that's not "many months", I was wrong.) I'm open for fixing it to support IMHO: You should still consider fixing your URLs in PHP tests and elsewhere, as it seems wrong to rely on non-speced URL formats... |
@Badger great! Would you mind then to apply the patch i've linked before or any other you'd see sufficient? I could open a PR, if required, anyway. That's an unfortunate construct, that beats usage at quite a few places. Another case was some time ago with libxml 2.9.2, that decided to go by prefix Please let me know about the further procedure. Thanks. |
On the patch
(maybe doing a pull-request with it would be easier to facilitate easier discussions on the code)
That may be true, but that doesn't change the fact that you (the plural you as in everyone writing code that uses URLs written like this) are relying on a badly formatted URLs that aren't following the spec and that's just... wrong. We get interoperability by following specs. If you'd really wanted the URL spec to allow that weirdo format, you should take that discussion to the IETF and the work on updating the FILE: URI format: https://tools.ietf.org/html/draft-ietf-appsawg-file-scheme-16 (tirelessly worked on by @phluid61) |
This may be able to be worked in to the other issue I'm working on with the proto-default file. Also I think we should cover the case of c:/foo/bar as well as c:\foo\bar. Let me take a look at this first, it might be better to land mine before he continues on his |
@weltling thanks for the offer. This particular draft is already in the IETF editor's queue, so we shouldn't be making any changes at the moment. I'm pretty sick of it right now, to be honest, but I'm not opposed to the idea of drafting a replacement spec once this one's published. More buy-in from interested parties would certainly make it a different authoring experience. Back in the glorious days of yore (before April last year) earlier drafts did make mention of the "file://c:..." construct: [1]
For some reason that was dropped and never made it back into what is now the "non-standard syntax variations" section. There is explicit mention of backslashes, though:
So there's that. Personally I'm firmly of the opinion that standard libraries should provide APIs to convert between equivalent data types (i.e. file paths and file: URIs). That way people won't need to jury rig solutions like They still will, of course, but at least that way when it goes wrong you can say: "Use the official API" |
@phluid61 many thanks for this extended infos. Yeah, i can imagine one'd need a pause after finishing the amount of work like that :) In the current draft, there's also a mention of the other prefixes in the win32 namespace like Thanks. |
Closing in favor of #1124. Thanks. |
Follow-up to 3463408. Prior to 3463408 file:// hostnames were silently stripped. Prior to this commit it did not work when a schemeless url was used with file as the default protocol. Ref: https://curl.haxx.se/mail/lib-2016-11/0081.html Closes #1124 Also fix for drive letters: - Support --proto-default file c:/foo/bar.txt - Support file://c:/foo/bar.txt - Fail when a file:// drive letter is detected and not MSDOS/Windows. Bug: #1187 Reported-by: Anatol Belski Assisted-by: Anatol Belski
Looks like this was broken again in curl 7.56.1 and 7.57.0. @phluid61 You recently did a lot of work on the file protocol. I would love to use the most recent curl in PHP 5.6, but patches by @weltling for file:// will not be applied in 'security fixes only' branches like PHP5.6 and probably PHP 7.0 as well. What would be the best course of action? |
If this is an issue in current curl then please file a new issue and please clarify what the URL looks like that you use that doesn't work! |
I did this
In PHP, local paths can be wrapped with
file://
, which works cross platform. The change in the commit3463408 causes a regression on the Windows side in the PHP test suite, when the following code is used
I expected the following
The
$of
file is written with the contents of the file to be uploaded. The filename under Windows will look likefile://c:\some\path\curl.out
. With the new parsing mechanism, the URL becomes invalid on Windows. This change is sudden and will break many PHP apps, at least. Of course, the change itself is correct, but given it has a high breach potential, IMO the compatibility parts should be kept.Especially, as there is no particular reason to not to keep BC. I've also checked other software, fe with a path like
file://c:\windows
, both Firefox and Edge, will convert it tofile:///c:\windows
or similar. Same when usedfile://127.0.0.1/c:\windows
curl/libcurl version
The change happened between 7.51.0 and 7.52.1.
operating system
Windows
Thanks.
The text was updated successfully, but these errors were encountered: