On 11/4/25 01:42, Daniel Stenberg via curl-users wrote:
...
VULNERABILITY
-------------
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into
saving the output file outside of the current directory without the user
explicitly asking for it.
...
Is there a similar threat if a maliciously crafted
site returns in a reply header a filename containing
a path level separator:
'/' for UNIX
'\' for Windows
':' for Mac Classic
etc.
--
gil
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette: https://curl.se/mail/etiquette.html
