curl / Mailing Lists / curl-library / Single Mail


I propose CURL_MAX_INPUT_LENGTH: largest acceptable string input size

From: Daniel Stenberg via curl-library <>
Date: Thu, 25 Apr 2019 17:35:53 +0200 (CEST)

Hi friends,

Here's me implementing a generic string length limit in what is accepted when
passing strings to libcurl:

It applies to all strings set to libcurl with curl_easy_setopt() and

The reason for this limit is to detect abuse and mistakes easier and to reduce
the risk for integer overflow mistakes internally (we have 4 previous CVEs
that occured due us accepting "excessive" input lengths).

The limit is set to 1000000 for now, but I'm open to discussing alternative

Will this break too many applications? Is it too drastic? Is the limit
ridiculously low? Am I fixing this problem the wrong way?

I'm all ears.

Received on 2019-04-25