On Thu, 24 Sep 2009, johansen_at_sun.com wrote:

(I'm cross-posting a reply on a thread originally kept on curl-and-python to
move it over to curl-library instead.)

> On Thu, Sep 24, 2009 at 05:55:58AM +0200, Daniel Stenberg wrote:
>> lib/transfer.c:readwrite_http_headers() is the responsible function. I
>> guess at least some kind of fixed maximum header length (like a 100KB or
>> 1MB or so) is suitable to use there. Wouldn't you agree on that?
>
> That seems entirely reasonable. I believe Seth said that he configured
> a limit of 2mb using the HEADERFUNCTION.
>
> Has anyone detailed the possible client DoS scenarios beyond what's been
> written in the tutorial, or is it better to have that discussion on
> curl-library, instead?

I think the scenario would include an evil server that tricks a libcurl-based
client into downloading a URL that provides just an endless single-line HTTP
header. That would then cause libcurl to not provide any data to the app so
the app cannot abort due to data size (only based on time really) and
eventually realloc() itself to death if it can download enough.

I suggest we just make libcurl stop at 100K and then consider the rest not a
HTTP header anymore - or perhaps consider it an illegal/bad stream and bail
out. Any other opinions or perhaps nods?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html