New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

netrc truncates logins and passwords to ~240 chars. #2676

Closed
Dirbaio opened this Issue Jun 21, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@Dirbaio

Dirbaio commented Jun 21, 2018

dirbaio@jupiter:~$ cat > .netrc <<EOF
machine example.com
login test
password 012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
EOF
dirbaio@jupiter:~$ curl -n -v https://example.com
(...)
> Authorization: Basic dGVzdDowMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU=
(...)

If you base64-decode the sent credentials, you get test:012345678(...)012345. The password is (silently!) truncated to 246 characters.

I'm hitting this problem when trying to clone a Git repo from a private system that needs OpenID Connect tokens as passwords, which are ~800 chars.

curl/libcurl version

curl 7.60.0 (x86_64-pc-linux-gnu) libcurl/7.60.0 OpenSSL/1.1.0h zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.4) nghttp2/1.31.1
Release-Date: 2018-05-16
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 

operating system

Arch Linux

@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Jun 22, 2018

Member

Right, the limit seems to be that the current code is only allowing 256 bytes for the whole line:

curl/lib/netrc.c

Lines 118 to 119 in bc5a0b3

char netrcbuffer[256];
int netrcbuffsize = (int)sizeof(netrcbuffer);

A cheap fix would be to instead allow it to use 4096 or something thereabouts: much larger, but not large to cause any problems. What do you think?

Member

bagder commented Jun 22, 2018

Right, the limit seems to be that the current code is only allowing 256 bytes for the whole line:

curl/lib/netrc.c

Lines 118 to 119 in bc5a0b3

char netrcbuffer[256];
int netrcbuffsize = (int)sizeof(netrcbuffer);

A cheap fix would be to instead allow it to use 4096 or something thereabouts: much larger, but not large to cause any problems. What do you think?

@Dirbaio

This comment has been minimized.

Show comment
Hide comment
@Dirbaio

Dirbaio Jun 22, 2018

That would solve my particular issue, yes. Let's just hope no one needs more than 4096 chars :)

Dirbaio commented Jun 22, 2018

That would solve my particular issue, yes. Let's just hope no one needs more than 4096 chars :)

bagder added a commit that referenced this issue Jun 23, 2018

netrc: use a larger buffer
... to work with longer passwords etc.

Fixes #2676
@bagder

This comment has been minimized.

Show comment
Hide comment
@bagder

bagder Jun 23, 2018

Member

It's been 256 bytes since 2003 and you're the first to report a problem with it. I presume 4096 should be good for a few years more =)

Member

bagder commented Jun 23, 2018

It's been 256 bytes since 2003 and you're the first to report a problem with it. I presume 4096 should be good for a few years more =)

@bagder bagder closed this in a3b7cb7 Jun 23, 2018

@lock lock bot locked as resolved and limited conversation to collaborators Sep 21, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.