netrc truncates logins and passwords to ~240 chars.

[Dirbaio]

dirbaio@jupiter:~$ cat > .netrc <<EOF
machine example.com
login test
password 012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
EOF
dirbaio@jupiter:~$ curl -n -v https://example.com
(...)
> Authorization: Basic dGVzdDowMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU=
(...)

If you base64-decode the sent credentials, you get test:012345678(...)012345. The password is (silently!) truncated to 246 characters.

I'm hitting this problem when trying to clone a Git repo from a private system that needs OpenID Connect tokens as passwords, which are ~800 chars.

curl/libcurl version

curl 7.60.0 (x86_64-pc-linux-gnu) libcurl/7.60.0 OpenSSL/1.1.0h zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.4) nghttp2/1.31.1
Release-Date: 2018-05-16
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 

operating system

Arch Linux

[bagder]

Right, the limit seems to be that the current code is only allowing 256 bytes for the whole line:

curl/lib/netrc.c

Lines 118 to 119 in bc5a0b3

	char netrcbuffer[256];
	int netrcbuffsize = (int)sizeof(netrcbuffer);

A cheap fix would be to instead allow it to use 4096 or something thereabouts: much larger, but not large to cause any problems. What do you think?

[bagder]

Right, the limit seems to be that the current code is only allowing 256 bytes for the whole line:

curl/lib/netrc.c

Lines 118 to 119 in bc5a0b3

	char netrcbuffer[256];
	int netrcbuffsize = (int)sizeof(netrcbuffer);

A cheap fix would be to instead allow it to use 4096 or something thereabouts: much larger, but not large to cause any problems. What do you think?

[Dirbaio]

That would solve my particular issue, yes. Let's just hope no one needs more than 4096 chars :)

[Dirbaio]

That would solve my particular issue, yes. Let's just hope no one needs more than 4096 chars :)

[bagder]

It's been 256 bytes since 2003 and you're the first to report a problem with it. I presume 4096 should be good for a few years more =)

[bagder]

It's been 256 bytes since 2003 and you're the first to report a problem with it. I presume 4096 should be good for a few years more =)