[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 334/411: curl_easy_escape: limit output string length to 3 * max
|
From: |
gnunet |
|
Subject: |
[gnurl] 334/411: curl_easy_escape: limit output string length to 3 * max input |
|
Date: |
Wed, 13 Jan 2021 01:22:29 +0100 |
This is an automated email from the git hooks/post-receive script.
nikita pushed a commit to branch master
in repository gnurl.
commit 7ae59838f0b9af600f3936485ad45de86bd3435f
Author: Daniel Stenberg <daniel@haxx.se>
AuthorDate: Mon Nov 9 16:24:13 2020 +0100
curl_easy_escape: limit output string length to 3 * max input
... instead of the limiting it to just the max input size. As every
input byte can be expanded to 3 output bytes, this could limit the input
string to 2.66 MB instead of the intended 8 MB.
Reported-by: Marc Schlatter
Closes #6192
---
lib/escape.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/escape.c b/lib/escape.c
index 1ec698aa6..683b6fc4a 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -86,7 +86,7 @@ char *curl_easy_escape(struct Curl_easy *data, const char
*string,
if(inlength < 0)
return NULL;
- Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH);
+ Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH * 3);
length = (inlength?(size_t)inlength:strlen(string));
if(!length)
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [gnurl] 345/411: KNOWN_BUGS: make a new section for cmake topics, (continued)
- [gnurl] 345/411: KNOWN_BUGS: make a new section for cmake topics, gnunet, 2021/01/12
- [gnurl] 274/411: RELEASE-NOTES: synced, gnunet, 2021/01/12
- [gnurl] 330/411: THANKS-filter: ignore autobuild links, gnunet, 2021/01/12
- [gnurl] 368/411: asyn: use 'struct thread_data *' instead of 'void *', gnunet, 2021/01/12
- [gnurl] 305/411: rtsp: fixed the RTST Session ID mismatch in test 570, gnunet, 2021/01/12
- [gnurl] 371/411: infof/failf calls: fix format specifiers, gnunet, 2021/01/12
- [gnurl] 339/411: curl: only warn not fail, if not finding the home dir, gnunet, 2021/01/12
- [gnurl] 319/411: tool_operate: set HSTS with CURLOPT_HSTS to pass on filename, gnunet, 2021/01/12
- [gnurl] 272/411: alt-svc: enable by default, gnunet, 2021/01/12
- [gnurl] 391/411: docs: fix typos and markup in ETag manpage sections, gnunet, 2021/01/12
- [gnurl] 334/411: curl_easy_escape: limit output string length to 3 * max input,
gnunet <=
- [gnurl] 384/411: openssl: remove #if 0 leftover, gnunet, 2021/01/12
- [gnurl] 403/411: cmake: don't use reserved target name 'test', gnunet, 2021/01/12
- [gnurl] 382/411: RELEASE-NOTES: synced, gnunet, 2021/01/12
- [gnurl] 394/411: openssl: use OPENSSL_init_ssl() with >= 1.1.0, gnunet, 2021/01/12
- [gnurl] 380/411: ngtcp2: use the minimal version of QUIC supported by ngtcp2, gnunet, 2021/01/12
- [gnurl] 409/411: gnurl: rename new files, gnunet, 2021/01/12
- [gnurl] 379/411: ngtcp2: advertise h3 ALPN unconditionally, gnunet, 2021/01/12
- [gnurl] 386/411: splay: rename Curl_splayremovebyaddr to Curl_splayremove, gnunet, 2021/01/12
- [gnurl] 392/411: tests/util.py: fix compatibility with Python 2, gnunet, 2021/01/12
- [gnurl] 399/411: urlapi: don't accept blank port number field without scheme, gnunet, 2021/01/12