Mido had an unpatchable DoS vulnerability since it's release. The issue was that Microsoft servers could send us data forever until OOM or disk space fills up. I knew about this issue, but, just tried to limit the untrusted size after running curl which was generally a good idea but didn't resolve the DoS issue.
Mido had an unpatchable DoS vulnerability since it's release. The issue was that Microsoft servers could send us data forever until OOM or disk space fills up. I knew about this issue, but, just tried to limit the untrusted size after running
curlwhich was generally a good idea but didn't resolve the DoS issue.I let the curl team know about the issue and they changed how
--max-filesizeworks to make it fixable: https://github.com/curl/curl/issues/11810I released the fix in the latest commit: https://github.com/ElliotKillick/Mido/commit/f06a1286f8ef137c5ca1fac39c9b9cace27f43a7
To make sure the fix applies to you, please ensure your curl is at least version 8.4.0 (run
curl --version).Thanks, Elliot