Hi, as per Debian bug #719856 [0], libcurl truncates all the passwords longer than 255 characters when using basic auth:
On ven, ago 16, 2013 at 12:54:01 -0700, Jonathan Nieder wrote: > Test case: > > # Prepare a long (300-character) password. > s=0123456789 > s=$s$s$s$s$s$s$s$s$s$s > s=$s$s$s > > # Start a server. > nc -l -p 8888 | tee out & > pid=$! > > # Ask curl to pass a long password to that server. > curl --user me:$s http://localhost:8888 & > sleep 1 > kill $pid > > # Extract the password. > userpass=$( > awk '/Authorization: Basic/ {print $3}' <out | > tr -d '\r' | > base64 -d > ) > password=${userpass#me:} > echo ${#password} > > Expected result: 300 > Actual result: 255 At [1] there's an attempt of a patch that basically strdup()s the password and username, altough it doesn't yet pass the test suite: On ven, ago 16, 2013 at 02:49:58 -0700, Jonathan Nieder wrote: > Here's a more complete patch against Daniel's "master". It doesn't > pass the test suite yet. > > If this makes sense, I can split it into smaller pieces: > > 1. use the "goto out" for exception handling in create_conn > 2. allocate user, password, and options on the heap instead of the > stack > 3. handle long usernames and passwords in netrc > 4. handle long usernames, passwords, and options from curl_easy_setopt > (the title feature!) > 5. deal with exceptional cases first and use the "goto out" idiom > in parse_url_login > 6. handle long usernames and passwords from URL. > > That would make it easier to find out which change is breaking tests > and to review the changes. Would you be interested in it? Any alternative solution? Cheers [0] http://bugs.debian.org/719856 [1] http://bugs.debian.org/719856#10 -- perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
