On Mon, Aug 17, 2015 at 06:06:17PM +0200, Sebastien Marie wrote: > Hi, > > I start reading your code, and I have a first remark. > > I see in main.c (at line 142 and next) that on redirection, you trust > the server for the filename. I am not sure it is a good thing to do. > > If the user request 'http://www.example.com/a_filename' (without -o), > the file created should be 'a_filename' what ever the redirection is. > Else, a evil server could arbitrary choose the filename (in the current > directory), and as file creation is done with O_TRUNC (or O_APPEND in > resume case), an evil server could override the file he wants.
Thanks for the comments, I agree with your observation. This diff evaluates filename just once. Index: main.c =================================================================== RCS file: /cvs/http/main.c,v retrieving revision 1.67 diff -u -p -r1.67 main.c --- main.c 16 Aug 2015 08:00:25 -0000 1.67 +++ main.c 17 Aug 2015 17:33:20 -0000 @@ -108,8 +108,8 @@ main(int argc, char *argv[]) } for (i = 0; i < argc; i++) { -retry: fn = (output) ? output : basename(argv[i]); +retry: url_str = url_encode(argv[i]); p = url_type(url_str); if (url_parse(url_str, &url, p) != 0)