> On March 28, 2011, 9:12 p.m., Monty Brandenberg wrote: > > Before shipping, review the exploit history around CURLOPT_ENCODING. There > > is a > > known buffer overflow exploit, I believe in pre-7.20 releases but that > > should be > > checked first for applicability.
Thank you, found it: http://curl.haxx.se/docs/adv_20100209.html The advisory applies to libcurl < 7.20. We are using libcurl 7.21.1. - Stone ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: http://codereview.secondlife.com/r/242/#review512 ----------------------------------------------------------- On March 28, 2011, 6:22 p.m., Stone Linden wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > http://codereview.secondlife.com/r/242/ > ----------------------------------------------------------- > > (Updated March 28, 2011, 6:22 p.m.) > > > Review request for Viewer, Oz Linden, Joshua Linden, and Brad Kittenbrink. > > > Summary > ------- > > Enable Accept-Encoding: deflate, gzip in libcurl via setopt CURLOPT_ENCODING. > I'm approaching this for Inventory, but it would apply to any HTTP request > that goes through the LLURLRequest code path (vs. the LLCurl code path, which > already does this). > > > Diffs > ----- > > indra/llmessage/llurlrequest.cpp 2ae060c0fa91 > > Diff: http://codereview.secondlife.com/r/242/diff > > > Testing > ------- > > Inventory loads, and I see the encoding options coming through on the backend > apache logs. > > > Thanks, > > Stone > >
_______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
