Equivalent of path-as-is option in curl

[exploide]

In curl there is the --path-as-is option:

Tell curl to not handle sequences of /../ or /./ in the given URL path. Normally curl will squash or merge them according to standards but with this option set you tell it not to do that.

Currently, httpie does not send paths like /../../../../../ to the server but resolves and removes them locally.

Sending such sequences can be useful during security testing, e.g. checking directory traversal vulnerabilities.

I would like to request a similar option as curl's --path-as-is.

[jkbrzt]

The dot segment removal is automatically applied by the upstream urllib3 library in its parse_url() implementation. Which is called from requests’s PreparedRequest.prepare():

Currently, neither library provides a way to disable the normalisation, sadly.

urllib3==1.25.8
requests==2.23.0

---

$ http --offline example.org/foo/../bar/

GET /bar/ HTTP/1.1

[exploide]

Good to know.

In the meantime, one can partially workaround this by manually URL-encoding / as %2f if needed.

[exploide]

Actually, this was already requested for the requests library in psf/requests#5289

The issue contains a solution approved by a maintainer.

[jkbrzt]

@exploide the linked issue includes a comment with a decent workaround, so I’ve just pushed support for --path-as-is to master (will be shipped with a future > v2.0.0 release).

$ http  --path-as-is  --offline  example.org/../../etc/password

GET /../../etc/password HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: example.org
User-Agent: HTTPie/2.1.0-dev

[exploide]

Awesome. That was fast. Thanks! 👍