curl-library
Re: aborting a transaction
Date: Thu, 24 Sep 2009 14:20:53 -0400 (EDT)
On Thu, 24 Sep 2009, Daniel Stenberg wrote:
>>> lib/transfer.c:readwrite_http_headers() is the responsible function. I
>>> guess at least some kind of fixed maximum header length (like a 100KB or
>>> 1MB or so) is suitable to use there. Wouldn't you agree on that?
>>
>> That seems entirely reasonable. I believe Seth said that he configured
>> a limit of 2mb using the HEADERFUNCTION.
>>
>> Has anyone detailed the possible client DoS scenarios beyond what's been
>> written in the tutorial, or is it better to have that discussion on
>> curl-library, instead?
>
> I think the scenario would include an evil server that tricks a libcurl-based
> client into downloading a URL that provides just an endless single-line HTTP
> header. That would then cause libcurl to not provide any data to the app so
> the app cannot abort due to data size (only based on time really) and
> eventually realloc() itself to death if it can download enough.
>
> I suggest we just make libcurl stop at 100K and then consider the rest not a
> HTTP header anymore - or perhaps consider it an illegal/bad stream and bail
> out. Any other opinions or perhaps nods?
>
If you can make the size value configurable then bailing out would be
appropriate. That way if an app doesn't know about this they are protected
from it, but if they do know about it and need really big headers, they
can set the value and move along.
-sv
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-09-24