On Wed, 14 May 2025, Dan Fandrich via curl-library wrote:
If the current few known-bad offenders are added to a whitelist, it becomes
easier to ratchet this number down over time.
Here's a first shot that sets the maximum allowed limit to 100, with two
functions whitelisted at the moment:
https://github.com/curl/curl/pull/17398
If you check out the CI job it lists all functions that are scored 80 or
higher and the list currently looks like this:
142 src/tool_getparam.c:getparameter [ALLOWED]
124 src/tool_operate.c:single_transfer [ALLOWED]
---- threshold: 100 ----
100 lib/setopt.c:setopt_long
100 lib/vssh/libssh.c:myssh_statemach_act
100 lib/mprintf.c:formatf
97 lib/url.c:url_match_conn
92 lib/vtls/openssl.c:Curl_ossl_ctx_init
92 lib/urlapi.c:curl_url_get
88 lib/http.c:http_header
83 lib/ftplistparser.c:parse_unix
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
