closing hackerone reports as not applicable without mercy on a Saturday night
one of them claimed the fact that you can run "curl http://¹²7.0.0.1" is a vulnerability.
I insist this is IDN working as designed. However crazy it may look like.You just cannot filter URLs like that assume it will work.
closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.
Not a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.
