From 8b151cb944361755396512f9cb8f53b56fa7c076 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 Nov 2020 15:59:35 +0100 Subject: [PATCH] docs: document the 8MB input string limit for curl_easy_escape and curl_easy_setopt() The limit is there to catch mistakes and abuse. It is meant to be large enough to allow virtually all "fine" use cases. Reported-by: Marc Schlatter Fixes #6190 Closes #6191 --- docs/libcurl/curl_easy_escape.3 | 3 ++- docs/libcurl/curl_easy_setopt.3 | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/libcurl/curl_easy_escape.3 b/docs/libcurl/curl_easy_escape.3 index 4889e8a7d..502722046 100644 --- a/docs/libcurl/curl_easy_escape.3 +++ b/docs/libcurl/curl_easy_escape.3 @@ -36,7 +36,8 @@ a-z, A-Z, 0-9, '-', '.', '_' or '~' are converted to their "URL escaped" version (%NN where NN is a two-digit hexadecimal number). If \fIlength\fP is set to 0 (zero), \fIcurl_easy_escape(3)\fP uses strlen() on -the input \fIstring\fP to find out the size. +the input \fIstring\fP to find out the size. This function does not accept +input strings longer than \fBCURL_MAX_INPUT_LENGTH\fP (8 MB). You must \fIcurl_free(3)\fP the returned string when you're done with it. .SH ENCODING diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index f253dff04..e4dafa799 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -48,7 +48,8 @@ thus the string storage associated to the pointer argument may be overwritten after \fIcurl_easy_setopt(3)\fP returns. The only exception to this rule is really \fICURLOPT_POSTFIELDS(3)\fP, but the alternative that copies the string \fICURLOPT_COPYPOSTFIELDS(3)\fP has some usage characteristics you need to -read up on. +read up on. This function does not accept input strings longer than +\fBCURL_MAX_INPUT_LENGTH\fP (8 MB). The order in which the options are set does not matter.