Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Issue with MAX_COOKIE_HEADER_LEN
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 18 May 2023 12:23:00 +0200 (CEST)
On Thu, 18 May 2023, Benjamin Herrenschmidt wrote:
> the default header size for IIS is 16KB.
...
> I agree that the failure mode you describe is ... sub-optimal. It was my
> understanding the limit was introduced to fix a CVE caused by unbounded
> growth but I might be mistaken.
No, that is correct. Previously there was no limit at all so it could end up
ridiculously large. But the limit we ended up with was taken from Apache's
implmentation, so for once it was not just arbitrarily set =)
> Any better idea to solve the issue ? We (Amazon) could carry a downstream
> only patch for our curl but I don't like that option much... The above seems
> to be a legitimate use case.
It is simply not interoperable. Sending 10K cookie headers will be rejected by
some servers and users will not now ahead of time when or if it will work
against a particular host. I can't think of a really good way to solve this.
Date: Thu, 18 May 2023 12:23:00 +0200 (CEST)
On Thu, 18 May 2023, Benjamin Herrenschmidt wrote:
> the default header size for IIS is 16KB.
...
> I agree that the failure mode you describe is ... sub-optimal. It was my
> understanding the limit was introduced to fix a CVE caused by unbounded
> growth but I might be mistaken.
No, that is correct. Previously there was no limit at all so it could end up
ridiculously large. But the limit we ended up with was taken from Apache's
implmentation, so for once it was not just arbitrarily set =)
> Any better idea to solve the issue ? We (Amazon) could carry a downstream
> only patch for our curl but I don't like that option much... The above seems
> to be a legitimate use case.
It is simply not interoperable. Sending 10K cookie headers will be rejected by
some servers and users will not now ahead of time when or if it will work
against a particular host. I can't think of a really good way to solve this.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-05-18