Skip to content

/ curl Public

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

netrc truncates logins and passwords to ~240 chars. #2676

Closed
Dirbaio opened this issue Jun 21, 2018 · 3 comments
Closed

netrc truncates logins and passwords to ~240 chars. #2676

Dirbaio opened this issue Jun 21, 2018 · 3 comments

Comments

@Dirbaio
Copy link

@Dirbaio Dirbaio commented Jun 21, 2018 

dirbaio@jupiter:~$ cat > .netrc <<EOF
machine example.com
login test
password 012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
EOF
dirbaio@jupiter:~$ curl -n -v https://example.com
(...)
> Authorization: Basic dGVzdDowMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU=
(...)

If you base64-decode the sent credentials, you get test:012345678(...)012345. The password is (silently!) truncated to 246 characters.

I'm hitting this problem when trying to clone a Git repo from a private system that needs OpenID Connect tokens as passwords, which are ~800 chars.

curl/libcurl version

curl 7.60.0 (x86_64-pc-linux-gnu) libcurl/7.60.0 OpenSSL/1.1.0h zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.4) nghttp2/1.31.1
Release-Date: 2018-05-16
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

operating system

Arch Linux
@bagder
Copy link
Member

@bagder bagder commented Jun 22, 2018

Right, the limit seems to be that the current code is only allowing 256 bytes for the whole line:

curl/lib/netrc.c

Lines 118 to 119 in bc5a0b3

char netrcbuffer[256];
int netrcbuffsize = (int)sizeof(netrcbuffer);

A cheap fix would be to instead allow it to use 4096 or something thereabouts: much larger, but not large to cause any problems. What do you think?

@Dirbaio
Copy link
Author

@Dirbaio Dirbaio commented Jun 22, 2018

That would solve my particular issue, yes. Let's just hope no one needs more than 4096 chars :)

bagder added a commit that referenced this issue Jun 23, 2018
@bagder
netrc: use a larger buffer
Loading status checks…
809d422 
... to work with longer passwords etc.

Fixes #2676
@bagder bagder mentioned this issue Jun 23, 2018
Closed
@bagder
Copy link
Member

@bagder bagder commented Jun 23, 2018

It's been 256 bytes since 2003 and you're the first to report a problem with it. I presume 4096 should be good for a few years more =)

@bagder bagder closed this in a3b7cb7 Jun 23, 2018
@Dirbaio Dirbaio mentioned this issue Jul 28, 2018
Closed
@lock lock bot locked as resolved and limited conversation to collaborators Sep 21, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@bagder @Dirbaio