generic-library/curl

Go to file

Jonathan Nieder 15f76bf7bb Curl_setopt: handle arbitrary-length username and password

libcurl truncates usernames, passwords, and options set with
curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters.
This doesn't affect the return value from curl_easy_setopt(), so from
the caller's point of view, there is no sign anything strange has
happened, except that authentication fails.

For example:

  # Prepare a long (300-char) password.
  s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s;
  # Start a server.
  nc -l -p 8888 | tee out & pid=$!
  # Tell curl to pass the password to the server.
  curl --user me:$s http://localhost:8888 & sleep 1; kill $pid
  # Extract the password.
  userpass=$(
	awk '/Authorization: Basic/ {print $3}' <out |
	tr -d '\r' |
	base64 -d
  )
  password=${userpass#me:}
  echo ${#password}

Expected result: 300
Actual result: 255

The fix is simple: allocate appropriately sized buffers on the heap
instead of trying to squeeze the provided values into fixed-size
on-stack buffers.

Bug: http://bugs.debian.org/719856
Reported-by: Colby Ranger

2013-08-20 11:16:38 +02:00

CMake

cmake: use standard findxxx modules for cmake v2.8+

2012-09-17 23:22:09 +02:00

docs

THANKS: added contributors from the 7.32.0 release notes

2013-08-11 23:43:32 +02:00

include

version number: bump to 7.32.1 for now

2013-08-12 13:16:44 +02:00

lib

Curl_setopt: handle arbitrary-length username and password

2013-08-20 11:16:38 +02:00

configure: warn on bad env variable use, don't error

2013-08-05 09:31:59 +02:00

packages

VMS: Add RELEASE-NOTES to vms document

2013-08-15 10:57:52 +02:00

perl

removed trailing whitespace

2011-12-30 03:36:18 +01:00

src

glob: error out on range overflow

2013-08-16 11:55:04 +02:00

tests

netrc: handle longer username and password

2013-08-20 11:16:38 +02:00

move msvc IDE related files to 'vs' directory tree

2013-02-13 17:14:21 +01:00

winbuild

msvc: move Makefile.msvc.names into winbuild/

2013-02-06 23:14:11 +01:00

.gitattributes

Tell git to not convert configure-related files.

2012-07-17 20:35:23 +02:00

.gitignore

repository: ignore patch files generated by git

2013-02-22 23:22:22 +01:00

acinclude.m4

CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling

2013-04-18 23:37:56 +02:00

buildconf

Revert changes relative to lib/*.[ch] recent renaming

2013-01-06 18:20:27 +01:00

buildconf.bat

curl tool: renaming hugehelp files to tool_hugehelp

2012-12-26 23:30:54 +01:00

CHANGES

CHANGES: move all contents from CHANGES to CHANGES.0

2010-06-21 22:27:39 +02:00

CHANGES.0

removed trailing whitespace

2011-12-30 03:36:18 +01:00

CMakeLists.txt

cmake: Fix mingw build

2013-02-04 22:35:09 +01:00

configure.ac

configure: fix 'subdir-objects' distclean related issue

2013-07-18 04:48:33 +02:00

COPYING

COPYING: Updated copyright year to include 2013

2013-02-05 23:05:50 +00:00

CTestConfig.cmake

ENH: move dashboard location

2009-07-15 19:40:46 +00:00

curl-config.in

curl-config.in: replace tabs by spaces

2013-06-22 22:08:42 +02:00

GIT-INFO

curl tool: renaming hugehelp files to tool_hugehelp

2012-12-26 23:30:54 +01:00

install-sh

install-sh: updated to support multiple source files as arguments

2013-02-13 15:47:54 +01:00

libcurl.pc.in

build: prevent global LIBS from influencing src and lib build targets

2012-12-03 22:41:18 +01:00

log2changes.pl

log2changes.pl: fix the Version output

2012-06-07 23:50:00 +02:00

MacOSX-Framework

OS X framework: fix invalid symbolic link

2013-05-09 21:51:35 +02:00

Makefile.am

move msvc IDE related files to 'vs' directory tree

2013-02-13 17:14:21 +01:00

Makefile.dist

Added winssl-zlib target to VC builds.

2013-07-08 17:46:15 +02:00

maketgz

maketgz: make bzip2 creation work with Parallel BZIP2 too

2013-04-18 11:13:56 +02:00

missing

renamed generated config.h to curl_config.h in order to avoid clashes when libcurl is used with other projects which also have a config.h.

2009-07-14 13:25:14 +00:00

mkinstalldirs

install-sh: updated to support multiple source files as arguments

2013-02-13 15:47:54 +01:00

README

various changes of CVS to git

2010-03-22 00:34:09 +01:00

RELEASE-NOTES

version number: bump to 7.32.1 for now

2013-08-12 13:16:44 +02:00

TODO-RELEASE

TODO-RELEASE: cleaned up, not really maintained lately

2013-04-08 08:32:10 +02:00

README

                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

README

  Curl is a command line tool for transferring data specified with URL
  syntax. Find out how to use curl by reading the curl.1 man page or the
  MANUAL document. Find out how to install Curl by reading the INSTALL
  document.

  libcurl is the library curl is using to do its job. It is readily
  available to be used by your software. Read the libcurl.3 man page to
  learn how!

  You find answers to the most frequent questions we get in the FAQ document.

  Study the COPYING file for distribution terms and similar. If you distribute
  curl binaries or other binaries that involve libcurl, you might enjoy the
  LICENSE-MIXING document.

CONTACT

  If you have problems, questions, ideas or suggestions, please contact us
  by posting to a suitable mailing list. See http://curl.haxx.se/mail/

  All contributors to the project are listed in the THANKS document.

WEB SITE

  Visit the curl web site for the latest news and downloads:

        http://curl.haxx.se/

GIT

  To download the very latest source off the GIT server do this:

    git clone git://github.com/bagder/curl.git

  (you'll get a directory named curl created, filled with the source code)

NOTICE

  Curl contains pieces of source code that is Copyright (c) 1998, 1999
  Kungliga Tekniska Högskolan. This notice is included here to comply with the
  distribution terms.

Languages

C 74.6%

M4 8.4%

Perl 7.1%

DIGITAL Command Language 3.6%

CMake 1.9%

Other 4.3%