On Sun, Dec 14, 2025 at 6:11 PM Daniel Stenberg <[email protected]> wrote: > > On Sun, 14 Dec 2025, Jeffrey Walton wrote: > > > When using cURL as a user agent or client, I think this is a layering > > violation. cURL should not be fiddling with URLs in general, and dots > > in particular since a dot is not something that needs to be encoded in > > HTML URLs anyways. > > https://datatracker.ietf.org/doc/html/rfc3986#section-5.2.4
The language in the RFC is weak. There are lots of SHOULDs, and not many MUSTs. How does cURL know -- when acting as a client or user agent -- that the assumptions for a generic parser hold so the reference implementation from Section 5 is valid? That's only something the target server would know. The easiest proof by counterexample is a web server with index.html and image.jpeg in the document root. A url of http://www.example.com/image/../image.jpeg should result in an invalid path at the server and return an error to the client since there is no image/ subdirectory at document root. The transformation from http://www.example.com/image/../image.jpeg to http://www.example.com/image.jpeg should not happen at the client or user agent. And the companion example is a secret knock. Suppose a webmaster wants to use a non-existent knock/ directory to validate a request: http://www.example.com/knock/../knock/..knock/../index.html. cURL does not have enough information to know the local policies of the webmaster at the target server to make the transformation. Jeff -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
