> I tested one of our website from my linux-client (curl 7.35.0) for an > directory-traversal issue. I determined, that curl in the version I'm using > it, is not sending the "../../"-part of the URL in the GET-Request. I was > confused. I verified, if there are some curl-options to force/allow the > dot-URL - no success. Then a little bit of google and I reached your blog: > http://daniel.haxx.se/blog/2013/07/30/dotdot-removal-in-libcurl/ > > I would appreciate much, if there would be an "on"-option in curl, which > forces curl to send the dot-URLs in the header. And this just for testing > our servers/applications for possible vulnerabilities. > > Do you see a chance for this?
Sure, I can see us adding an option that would prevent curl from doing that - if you do the work it is even more likelier to happen soon! Please take this discussion to the curl-library mailing list! -- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
