diff --git a/CHANGELOG.md b/CHANGELOG.md index e938df9..3c81337 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,12 +9,12 @@ SPDX-License-Identifier: curl # Changelog ## [v2025.11.09] - * Really fix CVE-2025-11563: The patch from v2025.11.04 didn't fix the CVE and + * Really fix CVE-2025-11563: The patch from v2025.11.04 did not fix the CVE and the unit test verifying it was broken. * Replace `>/dev/stderr` with `>&2` for portability. ## [v2025.11.04] - * Fix CVE-2025-11563: Don't percent-decode `/` and `\` in output file name to + * Fix CVE-2025-11563: Do not percent-decode `/` and `\` in output file name to avoid path traversal. * Fix typos reported by pyspelling. * Multiple improvements to GitHub Actions. @@ -84,11 +84,11 @@ SPDX-License-Identifier: curl * Drop `getopt` usage, non-GNU/Linux environments are supported now. * Replace `-o`/`--opts=` parameters with `--curl-options`/`--curl-options=`. This alternative is more descriptive and it does not coincide with any of curl's parameters. - * Stop auto-resuming downloads and don't overwrite files instead by default. + * Stop auto-resuming downloads and do not overwrite files instead by default. Safer alternative as otherwise curl can corrupt a file if the name clashes and the size of the existing one is smaller. One can easily change that behavior with `--curl-options="--continue-at -"`. * New `--dry-run` option: just print what would be invoked. - * Choose HTTPS as a default protocol, in case there's none in the URL. + * Choose HTTPS as a default protocol, in case there is none in the URL. * Disable curl's URL globbing parser so `{}` and `[]` characters in URLs are not treated specially. * Implement support for `--`. * Implement `-V`/`--version` options. @@ -98,10 +98,10 @@ SPDX-License-Identifier: curl ## [v2024-07-02] * First "public" release, announcing the project. * Use `exec` instead of `eval`. - * Only set `--parallel` if there's more than one URL. + * Only set `--parallel` if there is more than one URL. * Fix manpage typo. * Update COPYRIGHT and AUTHORS in manpage. - * Rewrite wcurl to remove bash dependency, it's now a POSIX shell script. + * Rewrite wcurl to remove bash dependency, it is now a POSIX shell script. * Add README.md. * Add LICENSE. diff --git a/README.md b/README.md index 308acd7..10dd653 100644 --- a/README.md +++ b/README.md @@ -88,12 +88,12 @@ should be using curl directly if your use case is not covered. * `--no-decode-filename` - Don't percent-decode the output filename, even if the percent-encoding in the + Do not percent-decode the output filename, even if the percent-encoding in the URL was done by wcurl, e.g.: The URL contained whitespace. * `--dry-run` - Don't actually execute curl, just print what would be invoked. + Do not actually execute curl, just print what would be invoked. * `-V, --version` diff --git a/tests/tests.sh b/tests/tests.sh index ad02c50..ced519d 100755 --- a/tests/tests.sh +++ b/tests/tests.sh @@ -153,14 +153,14 @@ testUrlDefaultName() { url='example%20with%20spaces.com' ret=$(${WCURL_CMD} ${url} 2>&1) - assertContains "Verify whether 'wcurl' chooses the correct default filename when there's no path in the URL" "${ret}" 'index.html' + assertContains "Verify whether 'wcurl' chooses the correct default filename when there is no path in the URL" "${ret}" 'index.html' } testUrlDefaultNameTrailingSlash() { url='example%20with%20spaces.com/' ret=$(${WCURL_CMD} ${url} 2>&1) - assertContains "Verify whether 'wcurl' chooses the correct default filename when there's no path in the URL and the URl ends with a slash" "${ret}" 'index.html' + assertContains "Verify whether 'wcurl' chooses the correct default filename when there is no path in the URL and the URl ends with a slash" "${ret}" 'index.html' } testUrlDecodingWhitespace() @@ -207,9 +207,9 @@ testUrlDecodingBackslashes() assertContains "Verify whether 'wcurl' successfully uses the default filename when the URL ends with a slash" "${ret}" '--output filename%5Cwith%2Fbackslashes%5c%2f' } -# Test decoding a bunch of different languages (that don't use the latin +# Test decoding a bunch of different languages (that do not use the latin # alphabet), we could split each language on its own test, but for now it -# doesn't make a difference. +# does not make a difference. testUrlDecodingNonLatinLanguages() { # Arabic @@ -236,7 +236,7 @@ testUrlDecodingNonLatinLanguages() ## Ideas for tests: ## ## - URL with whitespace -## - Different encodes don't get messed up +## - Different encodes do not get messed up ## - Test '--' (with and without) ## - Test filename output (URL ending/not ending with slash) ## - Filename with whitespace (decoding) diff --git a/wcurl b/wcurl index cbdbb32..b042c23 100755 --- a/wcurl +++ b/wcurl @@ -64,10 +64,10 @@ Options: number appended to the end (curl >= 7.83.0). If this option is provided multiple times, only the last value is considered. - --no-decode-filename: Don't percent-decode the output filename, even if the percent-encoding in + --no-decode-filename: Do not percent-decode the output filename, even if the percent-encoding in the URL was done by wcurl, e.g.: The URL contained whitespace. - --dry-run: Don't actually execute curl, just print what would be invoked. + --dry-run: Do not actually execute curl, just print what would be invoked. -V, --version: Print version information. @@ -167,7 +167,7 @@ percent_decode() # If character is a "%", read the next character as decode_hex1. if [ "${decode_out}" = % ] && IFS= read -r decode_hex1; then decode_out="${decode_out}${decode_hex1}" - # If there's one more character, read it as decode_hex2. + # If there is one more character, read it as decode_hex2. if IFS= read -r decode_hex2; then decode_out="${decode_out}${decode_hex2}" # Skip decoding if this is a control character (00-1F). @@ -190,7 +190,7 @@ get_url_filename() { # Remove protocol and query string if present. hostname_and_path="$(printf %s "${1}" | sed -e 's,^[^/]*//,,' -e 's,?.*$,,')" - # If what remains contains a slash, there's a path; return it percent-decoded. + # If what remains contains a slash, there is a path; return it percent-decoded. case "${hostname_and_path}" in # sed to remove everything preceding the last '/', e.g.: "example/something" becomes "something" */*) percent_decode "$(printf %s "${hostname_and_path}" | sed -e 's,^.*/,,')" ;; @@ -228,19 +228,19 @@ exec_curl() fi fi - # Detecting whether we need --parallel. It's easier to rely on + # Detecting whether we need --parallel. It is easier to rely on # the shell's argument parsing. # shellcheck disable=SC2086 set -- $URLS - # If there are less than two URLs, don't set the parallel flag. + # If there are less than two URLs, do not set the parallel flag. if [ "$#" -lt 2 ]; then CURL_PARALLEL="" fi # Start assembling the command. # - # We use 'set --' here (again) because (a) we don't have arrays on + # We use 'set --' here (again) because (a) we do not have arrays on # POSIX shell, and (b) we need better control over the way we # split arguments. # diff --git a/wcurl.1 b/wcurl.1 index 1f1493b..99d0ab2 100644 --- a/wcurl.1 +++ b/wcurl.1 @@ -67,7 +67,7 @@ URLs are provided, resulting files share the same name with a number appended to the end (curl >= 7.83.0). If this option is provided multiple times, only the last value is considered. .IP --no-decode-filename -Don\(aqt percent\-decode the output filename, even if the percent\-encoding in the +Do not percent\-decode the output filename, even if the percent\-encoding in the URL was done by \fBwcurl\fP, e.g.: The URL contained whitespace. .IP --dry-run Do not actually execute curl, just print what would be invoked. diff --git a/wcurl.md b/wcurl.md index 7d1200b..ab5c3aa 100644 --- a/wcurl.md +++ b/wcurl.md @@ -87,7 +87,7 @@ last value is considered. ## --no-decode-filename -Don't percent-decode the output filename, even if the percent-encoding in the +Do not percent-decode the output filename, even if the percent-encoding in the URL was done by **wcurl**, e.g.: The URL contained whitespace. ## --dry-run