mastodon - Link to source

Challenge: improve the speed of the #curl dotdot URL normalizer function. (without doing ridiculous things)

github.com/curl/curl/blob/28d2…


curl/lib/urlapi.c at 28d27570fa021011b8679344d090772fea49d0d1 · curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...
GitHub
#curl
in reply to Marcus Müller

mastodon - Link to source

daniel:// stenberg://

@funkylab there's no existing benchmark, just this report that got me looking into this hackerone.com/reports/3463608

curl disclosed on HackerOne: Denial of Service (DoS) vulnerability...

## Summary A Denial of Service (DoS) vulnerability exists in the `dedotdotify()` function in `lib/urlapi.c` that can cause excessive CPU consumption due to O(n²) time complexity when processing...
HackerOne
@Marcus Müller
in reply to daniel:// stenberg://

mastodon - Link to source

Marcus Müller

ah. OK. (and yes, if the problem is "people get to pass unchecked complexity strings to libcurl", then that's an API consumer problem, not a problem of the lib implementing that API)

Simple solution here would *seem* (I bet the devil's in the details!) to be to have two arrays, instead of just the first

1. char array for output
2. max_substring_length_integer array for "how long is this output path component"

. Then, encountering `./` in the input just leaves both alone, and
1/2

in reply to M. Verdone

mastodon - Link to source

daniel:// stenberg://

it's more of a check to figure out if we can improve. Triggered by this: hackerone.com/reports/3463608

curl disclosed on HackerOne: Denial of Service (DoS) vulnerability...

## Summary A Denial of Service (DoS) vulnerability exists in the `dedotdotify()` function in `lib/urlapi.c` that can cause excessive CPU consumption due to O(n²) time complexity when processing...
HackerOne