Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CURL_MAX_INPUT_LENGTH: largest acceptable string input size #3805

Closed
wants to merge 2 commits into from
Closed

CURL_MAX_INPUT_LENGTH: largest acceptable string input size #3805

wants to merge 2 commits into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Apr 25, 2019

This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (1000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().

The 1000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.

NOTE_ This does not apply to CURLOPT_POSTFIELDS.

Adds test 1559 that verifies the functionality.

@bagder
CURL_MAX_INPUT_LENGTH: largest acceptable string input size
f9ff558 
This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (1000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().

The 1000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.

NOTE_ This does not apply to `CURLOPT_POSTFIELDS`.
@bagder
fixup make test 1559 require HTTP to run
21ce2d0
@bagder
Copy link
Member Author

bagder commented Apr 25, 2019

I also took took this proposal to the mailing list

@bagder bagder added libcurl API feature-window A merge of this requires an open feature window and removed feature-window A merge of this requires an open feature window labels Apr 25, 2019
@bagder
Copy link
Member Author

bagder commented Apr 29, 2019

No objections have been received, but I bump the limit to 8000000 bytes anyway to reduce the risk of hitting a valid use case further.

@bagder bagder closed this in 5fc2851 Apr 29, 2019
@bagder bagder deleted the bagder/limit-string-lengths branch May 14, 2019 08:21
@lock lock bot locked as resolved and limited conversation to collaborators Aug 12, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
libcurl API
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@bagder