• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# URL syntax and their use in curl
2
3## Specifications
4
5The official "URL syntax" is primarily defined in these two different
6specifications:
7
8 - [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986) (although URL is called
9   "URI" in there)
10 - [The WHATWG URL Specification](https://url.spec.whatwg.org/)
11
12RFC 3986 is the earlier one, and curl has always tried to adhere to that one
13(since it shipped in January 2005).
14
15The WHATWG URL spec was written later, is incompatible with the RFC 3986 and
16changes over time.
17
18## Variations
19
20URL parsers as implemented in browsers, libraries and tools usually opt to
21support one of the mentioned specifications. Bugs, differences in
22interpretations and the moving nature of the WHATWG spec does however make it
23unlikely that multiple parsers treat URLs the same way.
24
25## Security
26
27Due to the inherent differences between URL parser implementations, it is
28considered a security risk to mix different implementations and assume the
29same behavior!
30
31For example, if you use one parser to check if a URL uses a good hostname or
32the correct auth field, and then pass on that same URL to a *second* parser,
33there will always be a risk it treats the same URL differently. There is no
34right and wrong in URL land, only differences of opinions.
35
36libcurl offers a separate API to its URL parser for this reason, among others.
37
38Applications may at times find it convenient to allow users to specify URLs
39for various purposes and that string would then end up fed to curl. Getting a
40URL from an external untrusted party and using it with curl brings several
41security concerns:
42
431. If you have an application that runs as or in a server application, getting
44   an unfiltered URL can trick your application to access a local resource
45   instead of a remote resource. Protecting yourself against localhost accesses
46   is hard when accepting user provided URLs.
47
482. Such custom URLs can access other ports than you planned as port numbers
49   are part of the regular URL format. The combination of a local host and a
50   custom port number can allow external users to play tricks with your local
51   services.
52
533. Such a URL might use other schemes than you thought of or planned for.
54
55## "RFC 3986 plus"
56
57curl recognizes a URL syntax that we call "RFC 3986 plus". It is grounded on
58the well established RFC 3986 to make sure previously written command lines and
59curl using scripts will remain working.
60
61curl's URL parser allows a few deviations from the spec in order to
62inter-operate better with URLs that appear in the wild.
63
64### spaces
65
66A URL provided to curl cannot contain spaces. They need to be provided URL
67encoded to be accepted in a URL by curl.
68
69An exception to this rule: `Location:` response headers that indicate to a
70client where a resource has been redirected to, sometimes contain spaces. This
71is a violation of RFC 3986 but is fine in the WHATWG spec. curl handles these
72by re-encoding them to `%20`.
73
74### non-ASCII
75
76Byte values in a provided URL that are outside of the printable ASCII range
77are percent-encoded by curl.
78
79### multiple slashes
80
81An absolute URL always starts with a "scheme" followed by a colon. For all the
82schemes curl supports, the colon must be followed by two slashes according to
83RFC 3986 but not according to the WHATWG spec - which allows one to infinity
84amount.
85
86curl allows one, two or three slashes after the colon to still be considered a
87valid URL.
88
89### "scheme-less"
90
91curl supports "URLs" that do not start with a scheme. This is not supported by
92any of the specifications. This is a shortcut to entering URLs that was
93supported by browsers early on and has been mimicked by curl.
94
95Based on what the hostname starts with, curl will "guess" what protocol to
96use:
97
98 - `ftp.` means FTP
99 - `dict.` means DICT
100 - `ldap.` means LDAP
101 - `imap.` means IMAP
102 - `smtp.` means SMTP
103 - `pop3.` means POP3
104 - all other means HTTP
105
106### globbing letters
107
108The curl command line tool supports "globbing" of URLs. It means that you can
109create ranges and lists using `[N-M]` and `{one,two,three}` sequences. The
110letters used for this (`[]{}`) are reserved in RFC 3986 and can therefore not
111legitimately be part of such a URL.
112
113They are however not reserved or special in the WHATWG specification, so
114globbing can mess up such URLs. Globbing can be turned off for such occasions
115(using `--globoff`).
116
117# URL syntax details
118
119A URL may consist of the following components - many of them are optional:
120
121    [scheme][divider][userinfo][hostname][port number][path][query][fragment]
122
123Each component is separated from the following component with a divider
124character or string.
125
126For example, this could look like:
127
128    http://user:password@www.example.com:80/index.html?foo=bar#top
129
130## Scheme
131
132The scheme specifies the protocol to use. A curl build can support a few or
133many different schemes. You can limit what schemes curl should accept.
134
135curl supports the following schemes on URLs specified to transfer. They are
136matched case insensitively:
137
138`dict`, `file`, `ftp`, `ftps`, `gopher`, `gophers`, `http`, `https`, `imap`,
139`imaps`, `ldap`, `ldaps`, `mqtt`, `pop3`, `pop3s`, `rtmp`, `rtmpe`, `rtmps`,
140`rtmpt`, `rtmpte`, `rtmpts`, `rtsp`, `smb`, `smbs`, `smtp`, `smtps`, `telnet`,
141`tftp`
142
143When the URL is specified to identify a proxy, curl recognizes the following
144schemes:
145
146`http`, `https`, `socks4`, `socks4a`, `socks5`, `socks5h`, `socks`
147
148## Userinfo
149
150The userinfo field can be used to set user name and password for
151authentication purposes in this transfer. The use of this field is discouraged
152since it often means passing around the password in plain text and is thus a
153security risk.
154
155URLs for IMAP, POP3 and SMTP also support *login options* as part of the
156userinfo field. They are provided as a semicolon after the password and then
157the options.
158
159## Hostname
160
161The hostname part of the URL contains the address of the server that you want
162to connect to. This can be the fully qualified domain name of the server, the
163local network name of the machine on your network or the IP address of the
164server or machine represented by either an IPv4 or IPv6 address (within
165brackets). For example:
166
167    http://www.example.com/
168
169    http://hostname/
170
171    http://192.168.0.1/
172
173    http://[2001:1890:1112:1::20]/
174
175### "localhost"
176
177Starting in curl 7.77.0, curl uses loopback IP addresses for the name
178`localhost`: `127.0.0.1` and `::1`. It does not resolve the name using the
179resolver functions.
180
181This is done to make sure the host accessed is truly the localhost - the local
182machine.
183
184### IDNA
185
186If curl was built with International Domain Name (IDN) support, it can also
187handle host names using non-ASCII characters.
188
189When built with libidn2, curl uses the IDNA 2008 standard. This is equivalent
190to the WHATWG URL spec, but differs from certain browsers that use IDNA 2003
191Transitional Processing. The two standards have a huge overlap but differ
192slightly, perhaps most famously in how they deal with the German "double s"
193(`ß`).
194
195When winidn is used, curl uses IDNA 2003 Transitional Processing, like the rest
196of Windows.
197
198## Port number
199
200If there is a colon after the hostname, that should be followed by the port
201number to use. 1 - 65535. curl also supports a blank port number field - but
202only if the URL starts with a scheme.
203
204If the port number is not specified in the URL, curl will used a default port
205based on the provide scheme:
206
207DICT 2628, FTP 21, FTPS 990, GOPHER 70, GOPHERS 70, HTTP 80, HTTPS 443,
208IMAP 132, IMAPS 993, LDAP 369, LDAPS 636, MQTT 1883, POP3 110, POP3S 995,
209RTMP 1935, RTMPS 443, RTMPT 80, RTSP 554, SCP 22, SFTP 22, SMB 445, SMBS 445,
210SMTP 25, SMTPS 465, TELNET 23, TFTP 69
211
212# Scheme specific behaviors
213
214## FTP
215
216The path part of an FTP request specifies the file to retrieve and from which
217directory. If the file part is omitted then libcurl downloads the directory
218listing for the directory specified. If the directory is omitted then the
219directory listing for the root / home directory will be returned.
220
221FTP servers typically put the user in its "home directory" after login, which
222then differs between users. To explicitly specify the root directory of an FTP
223server, start the path with double slash `//` or `/%2f` (2F is the hexadecimal
224value of the ascii code for the slash).
225
226## FILE
227
228When a `FILE://` URL is accessed on Windows systems, it can be crafted in a
229way so that Windows attempts to connect to a (remote) machine when curl wants
230to read or write such a path.
231
232curl only allows the hostname part of a FILE URL to be one out of these three
233alternatives: `localhost`, `127.0.0.1` or blank ("", zero characters).
234Anything else will make curl fail to parse the URL.
235
236### Windows-specific FILE details
237
238curl accepts that the FILE URL's path starts with a "drive letter". That is a
239single letter `a` to `z` followed by a colon or a pipe character (`|`).
240
241The Windows operating system itself will convert some file accesses to perform
242network accesses over SMB/CIFS, through several different file path patterns.
243This way, a `file://` URL passed to curl *might* be converted into a network
244access inadvertently and unknowingly to curl. This is a Windows feature curl
245cannot control or disable.
246
247## IMAP
248
249The path part of an IMAP request not only specifies the mailbox to list or
250select, but can also be used to check the `UIDVALIDITY` of the mailbox, to
251specify the `UID`, `SECTION` and `PARTIAL` octets of the message to fetch and
252to specify what messages to search for.
253
254A top level folder list:
255
256    imap://user:password@mail.example.com
257
258A folder list on the user's inbox:
259
260    imap://user:password@mail.example.com/INBOX
261
262Select the user's inbox and fetch message with `uid = 1`:
263
264    imap://user:password@mail.example.com/INBOX/;UID=1
265
266Select the user's inbox and fetch the first message in the mail box:
267
268    imap://user:password@mail.example.com/INBOX/;MAILINDEX=1
269
270Select the user's inbox, check the `UIDVALIDITY` of the mailbox is 50 and
271fetch message 2 if it is:
272
273    imap://user:password@mail.example.com/INBOX;UIDVALIDITY=50/;UID=2
274
275Select the user's inbox and fetch the text portion of message 3:
276
277    imap://user:password@mail.example.com/INBOX/;UID=3/;SECTION=TEXT
278
279Select the user's inbox and fetch the first 1024 octets of message 4:
280
281    imap://user:password@mail.example.com/INBOX/;UID=4/;PARTIAL=0.1024
282
283Select the user's inbox and check for NEW messages:
284
285    imap://user:password@mail.example.com/INBOX?NEW
286
287Select the user's inbox and search for messages containing "shadows" in the
288subject line:
289
290    imap://user:password@mail.example.com/INBOX?SUBJECT%20shadows
291
292Searching via the query part of the URL `?` is a search request for the
293results to be returned as message sequence numbers (`MAILINDEX`). It is
294possible to make a search request for results to be returned as unique ID
295numbers (`UID`) by using a custom curl request via `-X`. `UID` numbers are
296unique per session (and multiple sessions when `UIDVALIDITY` is the same). For
297example, if you are searching for `"foo bar"` in header+body (`TEXT`) and you
298want the matching `MAILINDEX` numbers returned then you could search via URL:
299
300    imap://user:password@mail.example.com/INBOX?TEXT%20%22foo%20bar%22
301
302If you want matching `UID` numbers you have to use a custom request:
303
304    imap://user:password@mail.example.com/INBOX -X "UID SEARCH TEXT \"foo bar\""
305
306For more information about IMAP commands please see RFC 9051. For more
307information about the individual components of an IMAP URL please see RFC 5092.
308
309* Note old curl versions would `FETCH` by message sequence number when `UID`
310was specified in the URL. That was a bug fixed in 7.62.0, which added
311`MAILINDEX` to `FETCH` by mail sequence number.
312
313## LDAP
314
315The path part of a LDAP request can be used to specify the: Distinguished
316Name, Attributes, Scope, Filter and Extension for a LDAP search. Each field is
317separated by a question mark and when that field is not required an empty
318string with the question mark separator should be included.
319
320Search for the `DN` as `My Organization`:
321
322    ldap://ldap.example.com/o=My%20Organization
323
324the same search but will only return `postalAddress` attributes:
325
326    ldap://ldap.example.com/o=My%20Organization?postalAddress
327
328Search for an empty `DN` and request information about the
329`rootDomainNamingContext` attribute for an Active Directory server:
330
331    ldap://ldap.example.com/?rootDomainNamingContext
332
333For more information about the individual components of a LDAP URL please
334see [RFC 4516](https://datatracker.ietf.org/doc/html/rfc4516).
335
336## POP3
337
338The path part of a POP3 request specifies the message ID to retrieve. If the
339ID is not specified then a list of waiting messages is returned instead.
340
341## SCP
342
343The path part of an SCP URL specifies the path and file to retrieve or
344upload. The file is taken as an absolute path from the root directory on the
345server.
346
347To specify a path relative to the user's home directory on the server, prepend
348`~/` to the path portion.
349
350## SFTP
351
352The path part of an SFTP URL specifies the file to retrieve or upload. If the
353path ends with a slash (`/`) then a directory listing is returned instead of a
354file. If the path is omitted entirely then the directory listing for the root
355/ home directory will be returned.
356
357## SMB
358The path part of a SMB request specifies the file to retrieve and from what
359share and directory or the share to upload to and as such, may not be omitted.
360If the user name is embedded in the URL then it must contain the domain name
361and as such, the backslash must be URL encoded as %2f.
362
363When uploading to SMB, the size of the file needs to be known ahead of time,
364meaning that you can upload a file passed to curl over a pipe like stdin.
365
366curl supports SMB version 1 (only)
367
368## SMTP
369
370The path part of a SMTP request specifies the hostname to present during
371communication with the mail server. If the path is omitted, then libcurl will
372attempt to resolve the local computer's hostname. However, this may not
373return the fully qualified domain name that is required by some mail servers
374and specifying this path allows you to set an alternative name, such as your
375machine's fully qualified domain name, which you might have obtained from an
376external function such as gethostname or getaddrinfo.
377
378The default smtp port is 25. Some servers use port 587 as an alternative.
379
380## RTMP
381
382There is no official URL spec for RTMP so libcurl uses the URL syntax supported
383by the underlying librtmp library. It has a syntax where it wants a
384traditional URL, followed by a space and a series of space-separated
385`name=value` pairs.
386
387While space is not typically a "legal" letter, libcurl accepts them. When a
388user wants to pass in a `#` (hash) character it will be treated as a fragment
389and get cut off by libcurl if provided literally. You will instead have to
390escape it by providing it as backslash and its ASCII value in hexadecimal:
391`\23`.
392