Change #261933
| Category | None |
| Changed by | Daniel Stenberg <daniel@haxx.se> |
| Changed at | Sat 21 Mar 2026 23:03:16 |
| Repository | https://api.github.com/repos/curl/curl |
| Project | curl/curl |
| Branch | bagder/max-unzip |
| Revision | a417ec8ebac5e7c4645287ad20b9f556e8897fa0 |
Comments
progress: count amount of data "delivered" to application ... and apply the CURLOPT_MAXFILESIZE limit (if set) on that as well. This effectively protects the user against "zip bombs". Test case 1618 verifies using a 14 byte brotli payload that otherwise explodes to 102400 zero bytes. Closes #20787
Changed files
- docs/KNOWN_RISKS.md
- docs/cmdline-opts/max-filesize.md
- docs/cmdline-opts/write-out.md
- docs/libcurl/curl_easy_getinfo.md
- docs/libcurl/opts/CURLINFO_SIZE_DELIVERED.md
- docs/libcurl/opts/CURLOPT_MAXFILESIZE.md
- docs/libcurl/opts/CURLOPT_MAXFILESIZE_LARGE.md
- docs/libcurl/opts/Makefile.inc
- docs/libcurl/symbols-in-versions
- include/curl/curl.h
- lib/cw-out.c
- lib/getinfo.c
- lib/progress.c
- lib/progress.h
- lib/urldata.h
- src/tool_writeout.c
- src/tool_writeout.h
- tests/data/Makefile.am
- tests/data/test1618
- tests/data/test220
- tests/data/test970
- tests/data/test972