Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl tool in windows incorrectly sanitizes user-specified output pathname #624

jay opened this issue Feb 1, 2016 · 0 comments


Copy link

jay commented Feb 1, 2016

Reported via e-mail by Octavio Schroeder:

C:\temp>curl --version
curl 7.47.0 (x86_64-pc-win32) libcurl/7.47.0 OpenSSL/1.0.2f zlib/1.2.8 WinIDN libssh2/1.6.0 nghttp2/1.7.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 

Tried downloading a file as follows:

curl -o c:\temp\google.html

The output does not get saved in a file called google.html in the
C:\temp folder but 'c__temp_google.html' in the current working folder.
jay added a commit that referenced this issue Feb 1, 2016
Due to path separators being incorrectly sanitized in --output
pathnames, eg -o c:\foo => c__foo

This is a partial revert of 3017d8a until I write a proper fix. The
remote-name will continue to be sanitized, but if the user specified an
--output with string replacement (#1, #2, etc) that data is unsanitized
until I finish a fix.

Bug: #624
Reported-by: Octavio Schroeder
@jay jay self-assigned this Feb 1, 2016
@jay jay closed this as completed in 4520534 Feb 5, 2016
@lock lock bot locked as resolved and limited conversation to collaborators May 7, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

1 participant