curl: (3) URL using bad/illegal format or missing URL Reason? curl expects a fully qualified path after file:/// . A dangling triple slash points to a directory, and by default, curl does not perform directory listing. However, the true danger emerges when you append a valid file path:
Consider a PHP application using curl_init() with a user-supplied URL. If the developer only checks for http or https , an attacker could supply: curl-url-file-3A-2F-2F-2F
curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS); In PHP: curl: (3) URL using bad/illegal format or missing URL Reason
curl file:/// If you run this exact command, curl will attempt to list or read the root directory ( / ). On most modern systems, this results in an error like: However, the true danger emerges when you append
curl -X POST -d "url=file%3A%2F%2F%2Fetc%2Fpasswd" https://vulnerable-app/fetch The server decodes this to file:///etc/passwd and, if no protocol whitelist exists, reads local files. The appearance of -3A-2F-2F-2F in logs is a suggesting an attempted SSRF or directory traversal attack. Part 4: Practical Experiments with curl and File URLs To truly understand the keyword, you must experiment (ethically, on your own system). Attempt 1: The exact decoded command curl file:/// Output: curl: (3) URL using bad/illegal format or missing URL Attempt 2: Read a system file curl file:///etc/os-release Output: (Shows your distribution info) – NAME="Ubuntu" VERSION="22.04" etc. Attempt 3: List directory contents (requires special handling) curl cannot list directories natively. Use --ftp-method for FTP, but for file:// , you need a URL that points to a directory with a trailing slash and rely on libcurl’s fallback. Better yet, use ls . This limitation is why file:/// alone fails. Attempt 4: Use encoded form in a script # Encoded version of curl file:///etc/passwd encoded="file%3A%2F%2F%2Fetc%2Fpasswd" curl "$encoded" This works because curl automatically decodes the URL before handling the scheme. Part 5: Security Hardening Against File URI Abuse If you are a developer or system administrator, the presence of curl-url-file-3A-2F-2F-2F in your environment demands action. 1. Disable file:// in curl -based applications When using libcurl in code (C, PHP, Python, Ruby), set the CURLOPT_PROTOCOLS option:
from urllib.parse import unquote print(unquote("file%3A%2F%2F%2Fetc%2Fpasswd")) # Output: file:///etc/passwd Stay safe, validate your URLs, and respect the power of the file:// scheme.