From 8646cecb785e8ac426527daedc1eb35e27f2edca Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 27 Sep 2009 21:34:13 +0000
Subject: - I introduced a maximum limit for received HTTP headers. It is
 controlled by   the define CURL_MAX_HTTP_HEADER which is even exposed in the
 public header   file to allow for users to fairly easy rebuild libcurl with a
 modified   limit. The rationale for a fixed limit is that libcurl is
 realloc()ing a   buffer to be able to put a full header into it, so that it
 can call the   header callback with the entire header, but that also risk
 getting it into   trouble if a server by mistake or willingly sends a header
 that is more or   less without an end. The limit is set to 100K.

---
 RELEASE-NOTES | 1 +
 1 file changed, 1 insertion(+)

(limited to 'RELEASE-NOTES')

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index b8b46a61e..2035a93bf 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -11,6 +11,7 @@ This release includes the following changes:
 
  o -T. is now for non-blocking uploading from stdin
  o SYST handling on FTP for OS/400 FTP server cases
+ o libcurl refuses to read a single HTTP header longer than 100K
 
 This release includes the following bugfixes:
 
-- 
cgit v1.2.3