New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HSTSWRITEFUNCTION stops being called as soon as an stsentry with expires set to TIME_T_MAX is found due to EOVERFLOW
on gmtime_r
#7720
Comments
EOVERFLOW
on gmtime_r
Confirmed. Clearly we need to handle the "unlimited" case differently. |
When setting a blank expire string, meaning unlimited, curl would pass TIME_T_MAX to getime_r() when creating the output, while on 64 bit systems such a large value cannot be convetered to a tm struct making curl to exit the loop with an error instead. Starting now, unlimited expiry is instead handled differently by using a human readable expiry date spelled out as "unlimited" instead of trying to use a distant actual date. Test 1660 and 1915 have been updated to help verify this change. Reported-by: Jonathan Cardoso Fixes #7720
The |
Thanks for the insights @bagder - The fix makes sense too. |
@bagder not really related to this issue, but I just noticed that if I was expecting the request to be aborted with Important to notice that I'm using the multi interface. |
It sounds like a separate issue. And I think we should clarify in the docs what it means to return an error there. I think it should fail the transfer... |
I did this
(sorry, right now I cannot provide a source code to easily reproduce this - I hope just this description is enough)
Created an easy handle and set the option
HSTSREADFUNCTION
to read from a list with the following data (JSON here for convenience):Assume that if there is no
expire
in the JSON object, this means I'm not setting theexpire
in thests
struct. From the documentation:By default
expire
is already set to a zero-length string, so I'm just not changing it:curl/lib/hsts.c
Line 438 in 1c1d9f1
And if there is no
includeSubdomain
, it means I'm setting it to false in the struct.I have also set the
HSTSWRITEFUNCTION
option to save the data when the handle is closed. Right now I'm just printing it.Finally, I made a request against
https://owasp.org/
withCURLOPT_HSTS_CTRL
set toENABLE
.I expected the following
The cache saved has 3 items where only the second one was updated (with the new expire retrieved from the host after the request). However, what happens is that
HSTSWRITEFUNCTION
is not called at all.I did some debugging, and it seems that when the easy handle is closed and
Curl_hsts_save
is called, the firststsentry
passed tohsts_push
has theirsts->expires
set to9223372036854775807
. This is the cache entry fordonotcall.gov
, as the expire is not set it defaults toTIME_T_MAX
:curl/lib/hsts.c
Lines 447 to 450 in 1c1d9f1
This causes the call to
Curl_gmtime
here:curl/lib/hsts.c
Line 286 in 1c1d9f1
To return
CURLE_BAD_FUNCTION_ARGUMENT
. On my machine, this is usinggmtime_r
, and it seems that thetm
pointer is set to null:https://github.com/curl/curl/blob/4d2f8006777d6354d9b62eae38ebd0a0256d0f94/lib/parsedate.c#L586-L602
gdb
output after running that statement:Checking
errno
:0x0000004b
isEOVERFLOW
. From https://en.cppreference.com/w/c/chrono/gmtime:I can default it to a value that is still far in the future, but not big enough to cause the overflow error. However this should probably be handled differently in case it is a real bug. If it is not, feel free to close this.
curl/libcurl version
operating system
uname -a
lsb_release -a
gcc: 7.5.0
The text was updated successfully, but these errors were encountered: