curl tool in windows incorrectly sanitizes user-specified output pathname #624

jay · 2016-02-01T08:55:03Z

Reported via e-mail by Octavio Schroeder:

C:\temp>curl --version
curl 7.47.0 (x86_64-pc-win32) libcurl/7.47.0 OpenSSL/1.0.2f zlib/1.2.8 WinIDN libssh2/1.6.0 nghttp2/1.7.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 

Tried downloading a file as follows:

curl www.google.com -o c:\temp\google.html

The output does not get saved in a file called google.html in the
C:\temp folder but 'c__temp_google.html' in the current working folder.

Due to path separators being incorrectly sanitized in --output pathnames, eg -o c:\foo => c__foo This is a partial revert of 3017d8a until I write a proper fix. The remote-name will continue to be sanitized, but if the user specified an --output with string replacement (#1, #2, etc) that data is unsanitized until I finish a fix. Bug: #624 Reported-by: Octavio Schroeder

jay self-assigned this Feb 1, 2016

jay added the cmdline tool label Feb 1, 2016

jay closed this in 4520534 Feb 5, 2016

jay mentioned this issue Feb 5, 2016

7.47.0 -o switch saving into an incorrect path #636

Closed

lock bot locked as resolved and limited conversation to collaborators May 7, 2018

curl / curl

curl tool in windows incorrectly sanitizes user-specified output pathname #624

curl tool in windows incorrectly sanitizes user-specified output pathname #624

jay commented Feb 1, 2016

curl / curl

Sponsor curl/curl

Join GitHub today

GitHub is where the world builds software

curl tool in windows incorrectly sanitizes user-specified output pathname #624

curl tool in windows incorrectly sanitizes user-specified output pathname #624

Comments

jay commented Feb 1, 2016

Essential cookies

Always active

Analytics cookies