New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl tool option to percent-encode the passed raw URL #514

Closed
vszakats opened this Issue Nov 3, 2015 · 14 comments

Comments

Projects
None yet
6 participants
@vszakats
Member

vszakats commented Nov 3, 2015

In certain situations it'd would be useful if curl (the tool) could translate a raw URL (f.e. containing spaces or other special characters) passed to its command-line to the percent-encoded (AKA 'URL encoded') version that would then be used to make the actual request.

This could be handy on Windows mainly, where the % sign has special uses, so including it in a command may be problematic (needs different escaping on the command-line, inside a batch file, in shell script), or impossible.

So f.e. this line:

curl -O https://example.com/hello%20world.txt

could become:

curl -O "https://example.com/hello world.txt" -rawurl

Required low-level logic is already implemented in the codebase as curl_easy_escape().

@vszakats vszakats changed the title from curl tool option to percent-encode the passed raw URL (feature-request) to curl tool option to percent-encode the passed raw URL (feature request) Nov 3, 2015

@bagder

This comment has been minimized.

Member

bagder commented Nov 3, 2015

One problem would be that you probably don't want it to become fully "URL encoded" (as said libcurl function would make it) as then for example the slashes would also be encoded... It sounds to me like you're looking to getting some specific letters to get encoded, like space for example.

@vszakats

This comment has been minimized.

Member

vszakats commented Nov 3, 2015

Yes, exactly, thanks for pointing that out. Spaces, percent-sign look like good candidates to start with.

(I've updated the original message.)

@jay jay added the feature-request label Nov 3, 2015

@jay jay changed the title from curl tool option to percent-encode the passed raw URL (feature request) to curl tool option to percent-encode the passed raw URL Nov 3, 2015

@bagder bagder closed this in 3ea77f6 Jan 11, 2016

@vszakats

This comment has been minimized.

Member

vszakats commented Jul 12, 2016

@patrikhson Looks like something is spamming this space on your behalf.

@bagder

This comment has been minimized.

Member

bagder commented Jul 12, 2016

Yeah and I have no way to block a specific user or email address other than to report them for abuse but I did it now in an attempt to stop this flood.

@kdudka

This comment has been minimized.

Collaborator

kdudka commented Jul 12, 2016

On Tuesday, July 12, 2016 08:28:02 Daniel Stenberg wrote:

Yeah and I have no way to block a specific user or email address other than
to report them for abuse but I did it now in an attempt to stop this
flood.

So did I (together with request to delete the comments). Then I spotted that
@patrikhson posted a "normal" comment in 2013. Looks like somebody hacked his
account recently.

@bagder

This comment has been minimized.

Member

bagder commented Jul 12, 2016

Yes I know Patrik Fältström so I know this isn't him. But AFAIK there's nothing preventing you from sending emails to github and just forging the From address.

@vszakats

This comment has been minimized.

Member

vszakats commented Jul 12, 2016

I believe it's not enough to spoof the sender address to be able to post to spaces like this. One needs to also obtain a valid reply address, which is identifying the discussion (and possibly the participant as well), and which looks like this in case of GitHub:

reply+<very-long-unique-hex-id> (AT) reply.github.com

Assuming such reply ID cannot be easily spoofed, it's likely they are being harvested from email archives and used as target addresses.

@vszakats

This comment has been minimized.

Member

vszakats commented Jul 12, 2016

One stop-gap solution is to lock old Issues and other places where he appears as participant.

@patrikhson

This comment has been minimized.

patrikhson commented Jul 12, 2016

I have noted this but will be in an airplane for two hours. Will be online approx 1800 UTC.

Patrik

On 12 juli 2016, at 17:39, Viktor Szakats notifications@github.com wrote:

One stop-gap solution is to lock old Issues and other places where he appears as participant.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

@patrikhson

This comment has been minimized.

patrikhson commented Jul 12, 2016

FWIW, I am cleaning up now. I have no real idea what has happened...

@jay

This comment has been minimized.

Member

jay commented Jul 13, 2016

No that shouldn't be necessary. I wrote GitHub about this and they are going to look into that account to improve their spam protection. Clearly no person would post that many messages in such a short period of time, only an automated process. The content was also suspect.

Collaborators are limited in how they can handle abuse like this to reporting it, Owners however can throw down the hammer I believe by ignoring the user because when you ignore a user it should ban them from posting comments in any repos they own. That may be different for organizations (which we are) so @bagder should this happen again you could also try https://help.github.com/articles/blocking-a-user-from-your-organization/

@bagder

This comment has been minimized.

Member

bagder commented Jul 13, 2016

I noticed already 10 hours ago that github admins had removed the spam comments (I think several of us reported the incident). At least all the ones I checked.

@cup

This comment has been minimized.

cup commented Jan 2, 2018

@bagder its nice that you added this to the TODO list, but that doesnt really, or shouldnt really close this issue

also that was about 2 years ago

@bagder

This comment has been minimized.

Member

bagder commented Jan 3, 2018

@svnpenn: we don't keep issues open if nobody intends to work on them: https://curl.haxx.se/docs/bugs.html#Closing_off_stalled_bugs

@lock lock bot locked as resolved and limited conversation to collaborators May 6, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.