curl-library
Bug: libcurl truncates passwords longer than 255
Date: Sat, 17 Aug 2013 13:50:38 +0200
Hi,
as per Debian bug #719856 [0], libcurl truncates all the passwords longer than
255 characters when using basic auth:
On ven, ago 16, 2013 at 12:54:01 -0700, Jonathan Nieder wrote:
> Test case:
>
> # Prepare a long (300-character) password.
> s=0123456789
> s=$s$s$s$s$s$s$s$s$s$s
> s=$s$s$s
>
> # Start a server.
> nc -l -p 8888 | tee out &
> pid=$!
>
> # Ask curl to pass a long password to that server.
> curl --user me:$s http://localhost:8888 &
> sleep 1
> kill $pid
>
> # Extract the password.
> userpass=$(
> awk '/Authorization: Basic/ {print $3}' <out |
> tr -d '\r' |
> base64 -d
> )
> password=${userpass#me:}
> echo ${#password}
>
> Expected result: 300
> Actual result: 255
At [1] there's an attempt of a patch that basically strdup()s the password and
username, altough it doesn't yet pass the test suite:
On ven, ago 16, 2013 at 02:49:58 -0700, Jonathan Nieder wrote:
> Here's a more complete patch against Daniel's "master". It doesn't
> pass the test suite yet.
>
> If this makes sense, I can split it into smaller pieces:
>
> 1. use the "goto out" for exception handling in create_conn
> 2. allocate user, password, and options on the heap instead of the
> stack
> 3. handle long usernames and passwords in netrc
> 4. handle long usernames, passwords, and options from curl_easy_setopt
> (the title feature!)
> 5. deal with exceptional cases first and use the "goto out" idiom
> in parse_url_login
> 6. handle long usernames and passwords from URL.
>
> That would make it easier to find out which change is breaking tests
> and to review the changes.
Would you be interested in it? Any alternative solution?
Cheers
[0] http://bugs.debian.org/719856
[1] http://bugs.debian.org/719856#10
-- perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/pgp-signature attachment: Digital signature