diff options
| author | Jonathan Nieder <jrnieder@gmail.com> | 2013-08-19 00:57:54 -0700 | 
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2013-08-20 11:16:38 +0200 | 
| commit | 15f76bf7bb92b315799541b0e5127c8d22a50733 (patch) | |
| tree | adb74efc7238bc044492102234eaf23e15c02ade /lib/README.memoryleak | |
| parent | 36585b539543ca4471ab19c0d738a6e52a827aee (diff) | |
Curl_setopt: handle arbitrary-length username and password
libcurl truncates usernames, passwords, and options set with
curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters.
This doesn't affect the return value from curl_easy_setopt(), so from
the caller's point of view, there is no sign anything strange has
happened, except that authentication fails.
For example:
  # Prepare a long (300-char) password.
  s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s;
  # Start a server.
  nc -l -p 8888 | tee out & pid=$!
  # Tell curl to pass the password to the server.
  curl --user me:$s http://localhost:8888 & sleep 1; kill $pid
  # Extract the password.
  userpass=$(
	awk '/Authorization: Basic/ {print $3}' <out |
	tr -d '\r' |
	base64 -d
  )
  password=${userpass#me:}
  echo ${#password}
Expected result: 300
Actual result: 255
The fix is simple: allocate appropriately sized buffers on the heap
instead of trying to squeeze the provided values into fixed-size
on-stack buffers.
Bug: http://bugs.debian.org/719856
Reported-by: Colby Ranger
Diffstat (limited to 'lib/README.memoryleak')
0 files changed, 0 insertions, 0 deletions
