Curl: netrc truncates logins and passwords to ~240 chars.

Created on 22 Jun 2018  路  3Comments  路  Source: curl/curl 
dirbaio@jupiter:~$ cat > .netrc <<EOF
machine example.com
login test
password 012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
EOF
dirbaio@jupiter:~$ curl -n -v https://example.com
(...)
> Authorization: Basic dGVzdDowMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU=
(...)

If you base64-decode the sent credentials, you get test:012345678(...)012345. The password is (silently!) truncated to 246 characters.

I'm hitting this problem when trying to clone a Git repo from a private system that needs OpenID Connect tokens as passwords, which are ~800 chars.

curl/libcurl version

curl 7.60.0 (x86_64-pc-linux-gnu) libcurl/7.60.0 OpenSSL/1.1.0h zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.4) nghttp2/1.31.1
Release-Date: 2018-05-16
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

operating system

Arch Linux

picture Dirbaio
😄1

Most helpful comment

It's been 256 bytes since 2003 and you're the first to report a problem with it. I presume 4096 should be good for a few years more =)

picture bagder on 23 Jun 2018
🎉2 👍1

All 3 comments

Right, the limit seems to be that the current code is only allowing 256 bytes for the whole line:

https://github.com/curl/curl/blob/bc5a0b3e9f16a431523ae54822adc38c3a396a26/lib/netrc.c#L118-L119

A cheap fix would be to instead allow it to use 4096 or something thereabouts: much larger, but not large to cause any problems. What do you think?

bagder picture bagder on 22 Jun 2018

That would solve my particular issue, yes. Let's just hope no one needs more than 4096 chars :)

Dirbaio picture Dirbaio on 22 Jun 2018

It's been 256 bytes since 2003 and you're the first to report a problem with it. I presume 4096 should be good for a few years more =)

bagder picture bagder on 23 Jun 2018
🎉2 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Antony74 picture Antony74  路  6Comments
emilengler picture emilengler  路  4Comments
ecnepsnai picture ecnepsnai  路  4Comments
gaul picture gaul  路  6Comments
stephentoub picture stephentoub  路  6Comments