Open lambrospetrou opened 3 hours ago
I realized now that curl
(curl 7.81.0
) also does not fail for that file...
curl --max-filesize 10 https://unpkg.com/vue@3.4.27/dist/vue.global.prod.js
According to https://everything.curl.dev/usingcurl/downloads/max-filesize.html though, it should stop after it exceeds the max filesize even if it doesn't know it upfront. But it doesn't.
edit: According to https://curl.se/docs/manpage.html#--max-filesize after curl 8.4.0 it should be rejected:
NOTE: before curl 8.4.0, when the file size is not known prior to download, for such files this option has no effect even if the file transfer ends up being larger than this given limit.
Starting with curl 8.4.0, this option aborts the transfer if it reaches the threshold during transfer.
It seems though that Hurl uses libcurl/7.81.0
(based on hurl --version
).
So, is there a way to update the version used by Hurl, or does that depend on my system's version of curl
?
What is the current bug behavior?
A response of 147KB Javascript file is not rejected with
--max-filesize 100
.Steps to reproduce
Run the above with:
The download of the file succeeds just fine.
What is the expected correct behavior?
The download should be rejected.
For other file types like images or JSON, the max filesize option applies successfully, for example:
Running the above will give out:
With a low enough max filesize (e.g.
10
) it will also fail the second JSON request. Instead of failing at the first entry for the JS file.Execution context
hurl --version
):Possible fixes