From 6dbfce1031a8dd177772e2ee356c712b2454f794 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 16 Dec 2005 14:52:16 +0000 Subject: [PATCH] Jean Jacques Drouin pointed out that you could only have a user name or password of 127 bytes or less embedded in a URL, where actually the code uses a 255 byte buffer for it! Modified now to use the full buffer size. --- CHANGES | 8 ++++++++ RELEASE-NOTES | 6 ++++-- lib/url.c | 5 +++-- 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 5a8496d6f..c98d4707e 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,14 @@ +Daniel (16 December 2005) +- Jean Jacques Drouin pointed out that you could only have a user name or + password of 127 bytes or less embedded in a URL, where actually the code + uses a 255 byte buffer for it! Modified now to use the full buffer size. + +Daniel (12 December 2005) +- Dov Murik corrected the HTTP_ONLY define to disable the TFTP support properly + Version 7.15.1 (7 December 2005) Daniel (6 December 2005) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index bbbda0fe4..503ec75b1 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -15,14 +15,16 @@ This release includes the following changes: This release includes the following bugfixes: - o + o supports name and passwords up to 255 bytes long, embedded in URLs + o the HTTP_ONLY define disables the TFTP support Other curl-related news since the previous public release: - o + o http://curl.hkmirror.org/ is a new curl web mirror in Hong Kong This release would not have looked like this without help, code, reports and advice from friends like these: + Dov Murik, Jean Jacques Drouin Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/url.c b/lib/url.c index 3715b10ca..781d1d11d 100644 --- a/lib/url.c +++ b/lib/url.c @@ -3166,12 +3166,13 @@ static CURLcode CreateConnection(struct SessionHandle *data, if(*userpass != ':') { /* the name is given, get user+password */ - sscanf(userpass, "%127[^:@]:%127[^@]", + sscanf(userpass, "%" MAX_CURL_USER_LENGTH_TXT "[^:@]:" + "%" MAX_CURL_PASSWORD_LENGTH_TXT "[^@]", user, passwd); } else /* no name given, get the password only */ - sscanf(userpass, ":%127[^@]", passwd); + sscanf(userpass, ":%" MAX_CURL_PASSWORD_LENGTH_TXT "[^@]", passwd); if(user[0]) { char *newname=curl_unescape(user, 0);