cURL / Mailing Lists / curl-users / Single Mail

curl-users

Limiting file size of download

From: Alex Bligh <alex_at_alex.org.uk>
Date: Sun, 14 Oct 2012 10:08:13 +0100

Is it possible to limit the file size produced by curl on a download,
to prevent DoS attacks when curl is launched automatically with a
user-supplied URL?

The --max-filesize option initially looks promising, but then it says:

> NOTE: The file size is not always known prior to download, and for such
> files this option has no effect even if the file transfer ends up being
> larger than this given limit. This concerns both FTP and HTTP transfers.

If that's the case, the option is of little use as an attacker can simply
configure a server serving /dev/zero.

What I want it to do is abort if it's written more than X bytes (which
I would have thought would be a useful way for --max-filesize to
work anyway).

This is I suppose to avoid having to use 'ulimit -f' which is (a) ugly,
(b) inexact, and (c) not portable.

-- 
Alex Bligh
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-14