Change #261950
| Category | curl |
| Changed by | Daniel Stenberg <daniel@haxx.se> |
| Changed at | Sat 21 Mar 2026 23:21:55 |
| Repository | https://github.com/curl/curl.git |
| Project | curl |
| Branch | master |
| Revision | 77ed315096598b59dd81c3d8c2ca02e799be6512 |
Comments
progress: count amount of data "delivered" to application ... and apply the CURLOPT_MAXFILESIZE limit (if set) on that as well. This effectively protects the user against "zip bombs". Test case 1618 verifies using a 14 byte brotli payload that otherwise explodes to 102400 zero bytes. Closes #20787
Changed files
- docs/KNOWN_RISKS.md
- docs/cmdline-opts/max-filesize.md
- docs/cmdline-opts/write-out.md
- docs/libcurl/curl_easy_getinfo.md
- docs/libcurl/opts/CURLINFO_SIZE_DELIVERED.md
- docs/libcurl/opts/CURLOPT_MAXFILESIZE.md
- docs/libcurl/opts/CURLOPT_MAXFILESIZE_LARGE.md
- docs/libcurl/opts/Makefile.inc
- docs/libcurl/symbols-in-versions
- include/curl/curl.h
- lib/cw-out.c
- lib/getinfo.c
- lib/progress.c
- lib/progress.h
- lib/urldata.h
- src/tool_writeout.c
- src/tool_writeout.h
- tests/data/Makefile.am
- tests/data/test1618
- tests/data/test220
- tests/data/test970
- tests/data/test972