New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl tool in windows incorrectly sanitizes user-specified output pathname #624

Closed
jay opened this Issue Feb 1, 2016 · 0 comments

Comments

Projects
None yet
1 participant
@jay
Member

jay commented Feb 1, 2016

Reported via e-mail by Octavio Schroeder:

C:\temp>curl --version
curl 7.47.0 (x86_64-pc-win32) libcurl/7.47.0 OpenSSL/1.0.2f zlib/1.2.8 WinIDN libssh2/1.6.0 nghttp2/1.7.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 

Tried downloading a file as follows:

curl www.google.com -o c:\temp\google.html

The output does not get saved in a file called google.html in the
C:\temp folder but 'c__temp_google.html' in the current working folder.

jay added a commit that referenced this issue Feb 1, 2016

tool_operate: Don't sanitize --output path (Windows)
Due to path separators being incorrectly sanitized in --output
pathnames, eg -o c:\foo => c__foo

This is a partial revert of 3017d8a until I write a proper fix. The
remote-name will continue to be sanitized, but if the user specified an
--output with string replacement (#1, #2, etc) that data is unsanitized
until I finish a fix.

Bug: #624
Reported-by: Octavio Schroeder

@jay jay self-assigned this Feb 1, 2016

@jay jay added the cmdline tool label Feb 1, 2016

@jay jay closed this in 4520534 Feb 5, 2016

@lock lock bot locked as resolved and limited conversation to collaborators May 7, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.