curl-library
I propose CURL_MAX_INPUT_LENGTH: largest acceptable string input size
From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 25 Apr 2019 17:35:53 +0200 (CEST)
Date: Thu, 25 Apr 2019 17:35:53 +0200 (CEST)
Hi friends,
Here's me implementing a generic string length limit in what is accepted when
passing strings to libcurl: https://github.com/curl/curl/pull/3805
It applies to all strings set to libcurl with curl_easy_setopt() and
curl_url_set() *EXCEPT* CURLOPT_POSTFIELDS.
The reason for this limit is to detect abuse and mistakes easier and to reduce
the risk for integer overflow mistakes internally (we have 4 previous CVEs
that occured due us accepting "excessive" input lengths).
The limit is set to 1000000 for now, but I'm open to discussing alternative
values!
Will this break too many applications? Is it too drastic? Is the limit
ridiculously low? Am I fixing this problem the wrong way?
I'm all ears.
-- / daniel.haxx.se ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2019-04-25