Getting the parent directory with curl

0

1

I've just written a very basic server which serves every file in a directory I'm calling public. Now, this server has no kind of security features whatsoever (as I said, very basic) and so I would expect the following curl command to give me the contents of a file outside of that directory:

curl 127.0.0.1:3000/../fileInTheParentDirectory.txt

However, this doesn't work. Monitoring the traffic with fiddler showed me why: it's actually ignoring the .. and trying to access 127.0.0.1/fileInTheParentDirectory.txt. Now, I certainly don't mind having free safety features, but I don't understand why this is happening. So my question is: Does curl automatically remove the ..? If so, since which version has it done that?

I've found resources that claim that this should work, so I'm guessing that the behaviour has been changed or it's different with different OSes or something like that.

If relevant, here's my output of curl --version:

curl 7.50.3 (x86_64-apple-darwin14.5.0) libcurl/7.50.3 OpenSSL/1.0.2j zlib/1.2.8
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

blalasaadri

Posted 2016-12-20T15:43:02.023

Reputation: 101

Here wget, curl and Firefox do the same... which resources claim that it should work? – golimar – 2016-12-20T16:07:05.510

I'm reading the book "Beginning Node.js" by Basarat Ali Syed (Apress) and that has an example which - in the book - does exactly what I would expect. And I saw it somewhere else as well while searching for a solution, though I can't find where exactly that was. – blalasaadri – 2016-12-20T16:10:42.400

And yes, Firefox did the same for me as well. – blalasaadri – 2016-12-20T16:11:10.503

Makes sense anyway, I can't see the point of going under the root – golimar – 2016-12-20T16:19:28.900

The point I see here is penetration testing. I want to make sure, that when I create a real server and someone DOES have a tool that will go to ../something then my server will return an error rather than the file requested. As far as I'm aware, there's nothing in the HTTP spec (or any other relevant spec) that would prevent a tool from doing that. – blalasaadri – 2016-12-20T16:22:40.797

Answers

0

Since cURL 7.42.0 this is possible with --path-as-is, as described in the man page:

$ curl -v --path-as-is  localhost/../../foo.txt
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /../../foo.txt HTTP/1.1
...

cweiske

Posted 2016-12-20T15:43:02.023

Reputation: 1 010

Asked: 2016-12-20T15:43:02.023

Viewed: 650 times

Active: 2017-04-03T08:24:26.840