When given an input URL such as http://example.com/file
, the path section of
the URL gets extracted and is turned into /file
in the HTTP request line.
That item in the protocol is called the request target in HTTP. That is the
resource this request interacts with. Normally this request target is
extracted from the URL and then used in the request and as a user you do not
need to think about it.
In some rare circumstances, user may want to go creative and change this
request target in ways that the URL does not really allow. For example, the
HTTP OPTIONS method has a specially define request target for magic that
concerns the server and not a specific path, and it uses *
for that. Yes,
a single asterisk. There is no way to specify a URL for this, so if you want to
pass a single asterisk in the request target to a server, like for OPTIONS,
you have to do it like this:
curl -X OPTIONS --request-target "*" http://example.com/
That example command line makes the first line of the outgoing HTTP request to look like this:
OPTIONS * HTTP/1.1
The path part of the URL is the part that starts with the first slash after the hostname and ends either at the end of the URL or at a '?' or '#' (roughly speaking).
If you include substrings including /../
or /./
in the path, curl
automatically squashes them before the path is sent to the server, as is
dictated by standards and how such strings tend to work in local file
systems. The /../
sequence removes the previous section so that
/hello/sir/../
ends up just /hello/
and /./
is simply removed so that
/hello/./sir/
becomes /hello/sir/
.
To prevent curl from squashing those magic sequences before they are sent to
the server and thus allow them through, the --path-as-is
option exists.
Lame attempt to trick the server to deliver its /etc/passwd
file:
curl --path-as-is https://example.com/../../etc/passwd