The code that I disagree with (i.e., do not scan a fetched file for
links if the ultimate URL does not pass the recursion tests) seems to
have been introduced in one commit from 2001-11-25:
$ git cat-file -p f6921edc
tree 76275b7fc2acbf9b66415cc17788755b1500b178
parent
On Freitag, 12. August 2016 22:13:53 CEST Matthew White wrote:
> On Wed, 10 Aug 2016 11:30:12 +0200
>
> After debugging wget and libmetalink, I can confirm that, due to how
> metalink/libmetalink is conceived (see references), metalink:file names
> posing a security issue are discarded directly
