Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

I propose CURL_MAX_INPUT_LENGTH: largest acceptable string input size

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 25 Apr 2019 17:35:53 +0200 (CEST)

Hi friends,

Here's me implementing a generic string length limit in what is accepted when
passing strings to libcurl: https://github.com/curl/curl/pull/3805

It applies to all strings set to libcurl with curl_easy_setopt() and
curl_url_set() *EXCEPT* CURLOPT_POSTFIELDS.

The reason for this limit is to detect abuse and mistakes easier and to reduce
the risk for integer overflow mistakes internally (we have 4 previous CVEs
that occured due us accepting "excessive" input lengths).

The limit is set to 1000000 for now, but I'm open to discussing alternative
values!

Will this break too many applications? Is it too drastic? Is the limit
ridiculously low? Am I fixing this problem the wrong way?

I'm all ears. 

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-04-25