aboutsummaryrefslogtreecommitdiff
path: root/lib/krb4.c
diff options
context:
space:
mode:
authorJonathan Nieder <jrnieder@gmail.com>2013-08-19 00:57:54 -0700
committerDaniel Stenberg <daniel@haxx.se>2013-08-20 11:16:38 +0200
commit15f76bf7bb92b315799541b0e5127c8d22a50733 (patch)
treeadb74efc7238bc044492102234eaf23e15c02ade /lib/krb4.c
parent36585b539543ca4471ab19c0d738a6e52a827aee (diff)
Curl_setopt: handle arbitrary-length username and password
libcurl truncates usernames, passwords, and options set with curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters. This doesn't affect the return value from curl_easy_setopt(), so from the caller's point of view, there is no sign anything strange has happened, except that authentication fails. For example: # Prepare a long (300-char) password. s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s; # Start a server. nc -l -p 8888 | tee out & pid=$! # Tell curl to pass the password to the server. curl --user me:$s http://localhost:8888 & sleep 1; kill $pid # Extract the password. userpass=$( awk '/Authorization: Basic/ {print $3}' <out | tr -d '\r' | base64 -d ) password=${userpass#me:} echo ${#password} Expected result: 300 Actual result: 255 The fix is simple: allocate appropriately sized buffers on the heap instead of trying to squeeze the provided values into fixed-size on-stack buffers. Bug: http://bugs.debian.org/719856 Reported-by: Colby Ranger
Diffstat (limited to 'lib/krb4.c')
0 files changed, 0 insertions, 0 deletions