On Thu, 18 May 2023, Benjamin Herrenschmidt wrote:
the default header size for IIS is 16KB.
...
I agree that the failure mode you describe is ... sub-optimal. It was my understanding the limit was introduced to fix a CVE caused by unbounded growth but I might be mistaken.
No, that is correct. Previously there was no limit at all so it could end up ridiculously large. But the limit we ended up with was taken from Apache's implmentation, so for once it was not just arbitrarily set =)
Any better idea to solve the issue ? We (Amazon) could carry a downstream only patch for our curl but I don't like that option much... The above seems to be a legitimate use case.
It is simply not interoperable. Sending 10K cookie headers will be rejected by some servers and users will not now ahead of time when or if it will work against a particular host. I can't think of a really good way to solve this.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
