On Thu, 24 Sep 2009, Daniel Stenberg wrote:
lib/transfer.c:readwrite_http_headers() is the responsible function. I
guess at least some kind of fixed maximum header length (like a 100KB or
1MB or so) is suitable to use there. Wouldn't you agree on that?
That seems entirely reasonable. I believe Seth said that he configured
a limit of 2mb using the HEADERFUNCTION.
Has anyone detailed the possible client DoS scenarios beyond what's been
written in the tutorial, or is it better to have that discussion on
curl-library, instead?
I think the scenario would include an evil server that tricks a libcurl-based
client into downloading a URL that provides just an endless single-line HTTP
header. That would then cause libcurl to not provide any data to the app so
the app cannot abort due to data size (only based on time really) and
eventually realloc() itself to death if it can download enough.
I suggest we just make libcurl stop at 100K and then consider the rest not a
HTTP header anymore - or perhaps consider it an illegal/bad stream and bail
out. Any other opinions or perhaps nods?
If you can make the size value configurable then bailing out would be
appropriate. That way if an app doesn't know about this they are protected
from it, but if they do know about it and need really big headers, they
can set the value and move along.
-sv
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
