--- parser3/src/classes/curl.C	2012/04/20 20:02:03	1.16
+++ parser3/src/classes/curl.C	2012/04/24 21:53:32	1.19
@@ -16,7 +16,7 @@
 #include "pa_http.h" 
 #include "ltdl.h"
 
-volatile const char * IDENT_CURL_C="$Id: curl.C,v 1.16 2012/04/20 20:02:03 moko Exp $";
+volatile const char * IDENT_CURL_C="$Id: curl.C,v 1.19 2012/04/24 21:53:32 moko Exp $";
 
 class MCurl: public Methoded {
 public:
@@ -76,13 +76,13 @@ public:
 	bool is_text;
 	Charset *charset, *response_charset;
 	struct curl_httppost *f_post;
-	FILE *stderr;
+	FILE *f_stderr;
 
-	ParserOptions() : filename(0), content_type(0), is_text(true), charset(0), response_charset(0), f_post(0), stderr(0){}
+	ParserOptions() : filename(0), content_type(0), is_text(true), charset(0), response_charset(0), f_post(0), f_stderr(0){}
 	~ParserOptions() {
 		f_curl_formfree(f_post);
-		if(stderr)
-			fclose(stderr);
+		if(f_stderr)
+			fclose(f_stderr);
 	}
 	 
 };
@@ -282,7 +282,7 @@ public:
 		CURL_OPT(CURL_FILE, CRLFILE);
 
 		CURL_OPT(CURL_STRING, CAINFO);
-		CURL_OPT(CURL_STRING, CAPATH);
+		CURL_OPT(CURL_FILE, CAPATH);
 		CURL_OPT(CURL_INT, SSL_VERIFYPEER);
 		CURL_OPT(CURL_INT, SSL_VERIFYHOST);
 		CURL_OPT(CURL_STRING, SSL_CIPHER_LIST);
@@ -357,6 +357,14 @@ static void curl_form(HashStringValue *v
 	}
 }
 
+static const char *curl_check_file(const String &file_spec){
+	const char *file_spec_cstr=file_spec.taint_cstr(String::L_FILE_SPEC);
+	struct stat finfo;
+	if(stat(file_spec_cstr, &finfo)==0)
+		check_safe_mode(finfo, file_spec, file_spec_cstr);
+	return file_spec_cstr;
+}
+
 static void curl_setopt(HashStringValue::key_type key, HashStringValue::value_type value, Request& r) {
 	CurlOption *opt=curl_options->get(key);
 
@@ -427,18 +435,18 @@ static void curl_setopt(HashStringValue:
 		}
 		case CurlOption::CURL_FILE:{
 			// file-spec curl option
-			const char *value_str=r.absolute(v.as_string()).taint_cstr(String::L_FILE_SPEC);
-			res=f_curl_easy_setopt(curl(), opt->id, value_str);
+			const char *file_spec_cstr=curl_check_file(r.absolute(v.as_string()));
+			res=f_curl_easy_setopt(curl(), opt->id, file_spec_cstr);
 			break;
 		}
 		case CurlOption::CURL_STDERR:{
 			// verbose output redirection from stderr to file curl option
-			const char *value_str=r.absolute(v.as_string()).taint_cstr(String::L_FILE_SPEC);
-			FILE *stderr=options().stderr=fopen(value_str, "at");
-			if (stderr){
-				res=f_curl_easy_setopt(curl(), opt->id, stderr);
+			const char *file_spec_cstr=curl_check_file(r.absolute(v.as_string()));
+			FILE *f_stderr=options().f_stderr=fopen(file_spec_cstr, "wt");
+			if (f_stderr){
+				res=f_curl_easy_setopt(curl(), opt->id, f_stderr);
 			} else {
-				throw Exception("curl", 0, "failed to set option '%s': unable to open file %s", key.cstr(), value_str);
+				throw Exception("curl", 0, "failed to set option '%s': unable to open file '%s'", key.cstr(), file_spec_cstr);
 			}
 			break;
 		}