#1234 libcurl_tutorial.3 contains incorrect backslash

closed-fixed
None
5
2013-06-21
2013-05-28
No

--- libcurl-tutorial.3-unpatched 2013-05-28 07:24:46.577949934 -0400
+++ libcurl-tutorial.3 2013-05-28 07:25:06.161949568 -0400
@@ -1246,7 +1246,7 @@
could also use CURLINFO_EFFECTIVE_URL to generate a file name from a
server-supplied redirect URL. Special care must be taken to sanitize such
names to avoid the possibility of a malicious server supplying one like
-"/etc/passwd", "\autoexec.bat" or even ".bashrc".
+"/etc/passwd", "autoexec.bat" or even ".bashrc".

.IP "Server Certificates"
A secure application should never use the CURLOPT_SSL_VERIFYPEER option to

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2013-05-28
    • status: open --> closed-fixed
    • assigned_to: Daniel Stenberg
     
  • Daniel Stenberg

    Daniel Stenberg - 2013-05-28

    Thanks, merged and pushed as commit 7d8d2a54bac6.

     
  • Dan Fandrich

    Dan Fandrich - 2013-06-03

    The backslash there was deliberate, as an implicit reminder to the reader that those can also cause security faults if not treated specially. Admittedly, the backslash should have been doubled to make it through nroff, but eliminating it altogether makes the point of the \autoexec.bat example moot.

     
  • Daniel Stenberg

    Daniel Stenberg - 2013-06-03

    Yeah, I thought about it as well but then I decided that perhaps it still shows the point even when removed and we avoid the backslash problem all together. You think we should double it instead?

     
  • Dan Fandrich

    Dan Fandrich - 2013-06-03

    I think an example with the slash would get more mileage than one without. Not that this is supposed to be an exhaustive list of possible file names with security implications, but my idea was that another example might cause readers to realize that there's more than just one character to worry about.

     
  • Daniel Stenberg

    Daniel Stenberg - 2013-06-03

    Fair enough! Feel free to bring in/back the backslashes there!

     
  • Eric S. Raymond

    Eric S. Raymond - 2013-06-03

    If you bring back the backslash, please do it as '\' or \e'.

     
  • Dan Fandrich

    Dan Fandrich - 2013-06-03

    I committed it as 159d34b5. Sorry Eric, I didn't see your note in time and used a double backslash, which groff at least doesn't complain about (this form is used in other libcurl man pages). It also looks like SF munged your comment since neither example method looks quite right.

     
  • Eric S. Raymond

    Eric S. Raymond - 2013-06-03

    Yeah, my attempt to write a double backslash turned iinto a single backslash in the presented comment!

    Your double backslash should be fine. Techically '\e' is more correct, but double backslash should only fail on versions of [nt]roff that have been obsolete for so long you probably weren't born yet when they were end-of-lifed :-)

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks