From 404c8850da5a677638959f4e38bb7692cb887d3a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 18 May 2018 16:48:13 +0200 Subject: curl_fnmatch: only allow two asterisks for matching The previous limit of 5 can still end up in situation that takes a very long time and consumes a lot of CPU. If there is still a rare use case for this, a user can provide their own fnmatch callback for a version that allows a larger set of wildcards. This commit was triggered by yet another OSS-Fuzz timeout due to this. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369 Closes #2587 --- lib/curl_fnmatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/curl_fnmatch.c') diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c index 0179a4f71..268fe79b3 100644 --- a/lib/curl_fnmatch.c +++ b/lib/curl_fnmatch.c @@ -355,5 +355,5 @@ int Curl_fnmatch(void *ptr, const char *pattern, const char *string) if(!pattern || !string) { return CURL_FNMATCH_FAIL; } - return loop((unsigned char *)pattern, (unsigned char *)string, 5); + return loop((unsigned char *)pattern, (unsigned char *)string, 2); } -- cgit v1.2.3