[opensource-dev] Review Request: Enable CURLOPT_ENCODING for Inventory caps, which uses the LLURLRequest code path

Stone Linden stone at lindenlab.com
Tue Mar 29 10:09:45 PDT 2011



> On March 28, 2011, 9:12 p.m., Monty Brandenberg wrote:
> > Before shipping, review the exploit history around CURLOPT_ENCODING.  There is a
> > known buffer overflow exploit, I believe in pre-7.20 releases but that should be
> > checked first for applicability.

Thank you, found it:
http://curl.haxx.se/docs/adv_20100209.html

The advisory applies to libcurl < 7.20. We are using libcurl 7.21.1.


- Stone


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://codereview.secondlife.com/r/242/#review512
-----------------------------------------------------------


On March 28, 2011, 6:22 p.m., Stone Linden wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> http://codereview.secondlife.com/r/242/
> -----------------------------------------------------------
> 
> (Updated March 28, 2011, 6:22 p.m.)
> 
> 
> Review request for Viewer, Oz Linden, Joshua Linden, and Brad Kittenbrink.
> 
> 
> Summary
> -------
> 
> Enable Accept-Encoding: deflate, gzip in libcurl via setopt CURLOPT_ENCODING. I'm approaching this for Inventory, but it would apply to any HTTP request that goes through the LLURLRequest code path (vs. the LLCurl code path, which already does this).
> 
> 
> Diffs
> -----
> 
>   indra/llmessage/llurlrequest.cpp 2ae060c0fa91 
> 
> Diff: http://codereview.secondlife.com/r/242/diff
> 
> 
> Testing
> -------
> 
> Inventory loads, and I see the encoding options coming through on the backend apache logs.
> 
> 
> Thanks,
> 
> Stone
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/opensource-dev/attachments/20110329/7902badf/attachment.htm 


More information about the opensource-dev mailing list