From 3050ae57c0ad3a071448fb36b5d5d720910d5d00 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 19 Jan 2005 21:56:02 +0000
Subject: Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP
 URL contains %0a or %0d in the user, password or CWD parts. (A future fix
 would include doing it for %00 as well - see KNOWN_BUGS for details.) Test
 case 225 and 226 were added to verify this

---
 docs/KNOWN_BUGS | 10 ++++++++++
 docs/TODO       |  3 +++
 2 files changed, 13 insertions(+)

(limited to 'docs')

diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS
index 1177b37e2..1bfe25bc2 100644
--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@@ -3,6 +3,16 @@ join in and help us correct one or more of these! Also be sure to check the
 changelog of the current development status, as one or more of these problems
 may have been fixed since this was written!
 
+* FTP URLs passed to curl may contain NUL (0x00) in the RFC 1738 <user>,
+  <password>, and <fpath> components, encoded as "%00".  The problem is that
+  curl_unescape does not detect this, but instead returns a shortened C
+  string.  From a strict FTP protocol standpoint, NUL is a valid character
+  within RFC 959 <string>, so the way to handle this correctly in curl would
+  be to use a data structure other than a plain C string, one that can handle
+  embedded NUL characters.  From a practical standpoint, most FTP servers
+  would not meaningfully support NUL characters within RFC 959 <string>,
+  anyway (e.g., UNIX pathnames may not contain NUL).
+
 * Test case 241 fails on all systems that support IPv6 but that don't have the
   host name 'ip6-localhost' in /etc/hosts (or similar) since the test case
   uses that host name to test the IPv6 name to address resolver.
diff --git a/docs/TODO b/docs/TODO
index dbda55050..6a8b47994 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -65,6 +65,9 @@ TODO
 
  FTP
 
+ * Make the detection of (bad) %0d and %0a codes in FTP url parts earlier in
+   the process to avoid doing a resolve and connect in vain.
+
  * Code overhaul to make it more state-machine like and to _never_ block on
    waiting for server responses when used with the multi interface.
 
-- 
cgit v1.2.3