- I introduced a maximum limit for received HTTP headers. It is controlled by

the define CURL_MAX_HTTP_HEADER which is even exposed in the public header file to allow for users to fairly easy rebuild libcurl with a modified limit. The rationale for a fixed limit is that libcurl is realloc()ing a buffer to be able to put a full header into it, so that it can call the header callback with the entire header, but that also risk getting it into trouble if a server by mistake or willingly sends a header that is more or less without an end. The limit is set to 100K.
author: Daniel Stenberg <daniel@haxx.se> 2009-09-27 21:34:13 +0000
committer: Daniel Stenberg <daniel@haxx.se> 2009-09-27 21:34:13 +0000
commit: 8646cecb785e8ac426527daedc1eb35e27f2edca (patch)
tree: 8a64406f2bf721bdd68e1da85059d5c1afa12b92 /RELEASE-NOTES
parent: 867a0de670f343256e88c56352c69534f852f6b5 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index b8b46a61e..2035a93bf 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -11,6 +11,7 @@ This release includes the following changes:
 
  o -T. is now for non-blocking uploading from stdin
  o SYST handling on FTP for OS/400 FTP server cases
+ o libcurl refuses to read a single HTTP header longer than 100K
 
 This release includes the following bugfixes:
author	Daniel Stenberg <daniel@haxx.se>	2009-09-27 21:34:13 +0000
committer	Daniel Stenberg <daniel@haxx.se>	2009-09-27 21:34:13 +0000
commit	8646cecb785e8ac426527daedc1eb35e27f2edca (patch)
tree	8a64406f2bf721bdd68e1da85059d5c1afa12b92 /RELEASE-NOTES
parent	867a0de670f343256e88c56352c69534f852f6b5 (diff)