review.tizen.org Git - platform/upstream/curl.git/commit

author	Seonah Moon <seonah1.moon@samsung.com>
	Tue, 23 Jul 2019 08:51:14 +0000 (17:51 +0900)
committer	Seonah Moon <seonah1.moon@samsung.com>
	Tue, 23 Jul 2019 08:51:18 +0000 (17:51 +0900)
commit	dcbf5ac83708a6edb385b9fde2a963d9986f2f77
tree	68364cd44d4bd4744fa7102e2185b21089c97b29	tree \| snapshot
parent	01fd1f857cb7b82536f890066f17ec2d7b9f406e	commit \| diff

CURL_MAX_INPUT_LENGTH: largest acceptable string input size

This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().

The 8000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.

NOTE: This does not apply to `CURLOPT_POSTFIELDS`.

Test 1559 verifies.

ClosesThis commit closes pull request #3805. #3805

CVE-2019-5435

Change-Id: I0a6d76769e1471352a477a8b1160672757a2de54

lib/setopt.c		diff \| blob \| history
lib/urlapi.c		diff \| blob \| history
lib/urldata.h		diff \| blob \| history