curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them. Passing in `http://example.com#@evil.com/x.txt` would wrongly make curl send a request to evil.com while your browser would connect to example.com given the same URL. The problem exists for most protocol schemes. External References: https://curl.haxx.se/docs/adv_20161102J.html
Created attachment 1213819 [details] Upstream patch
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1390894]
Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1390895] Affects: epel-7 [bug 1390896]
Comment on attachment 1213819 [details] Upstream patch The patch seems to cause an unintended change in behavior: https://curl.haxx.se/mail/lib-2016-11/0059.html
Upstream considers the current behavior correct: https://curl.haxx.se/mail/lib-2016-11/0084.html ... and wants to check file:// URLs stricter to provide better diagnostic messages in case the syntax is misused (namely allow to use only "localhost" or an empty string as the <host> part of the URL). However, we need to make sure to keep the current (though undocumented) behavior of file://FILE_FROM_CURRENT_DIR unchanged while backporting the security fix for RHEL-6 and RHEL-7.
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558