Enable CURLOPT_ENCODING for Inventory caps, which uses the LLURLRequest code path


Submitter:	Stone Linden	Reviewers
Branch:		Groups:	viewer
Bugs:	vwr-25376	People:	oz.linden, joshua.linden, brad.linden
Change Number:	None	Repository:	viewer-development

Description:

Enable Accept-Encoding: deflate, gzip in libcurl via setopt CURLOPT_ENCODING. I'm approaching this for Inventory, but it would apply to any HTTP request that goes through the LLURLRequest code path (vs. the LLCurl code path, which already does this).

Testing Done:

Inventory loads, and I see the encoding options coming through on the backend apache logs.

Expand All

Before shipping, review the exploit history around CURLOPT_ENCODING.  There is a
known buffer overflow exploit, I believe in pre-7.20 releases but that should be
checked first for applicability.

Stone Linden March 29, 2011, 10:09 a.m. (March 29, 2011, 10:09 a.m.)

Thank you, found it:
http://curl.haxx.se/docs/adv_20100209.html

The advisory applies to libcurl < 7.20. We are using libcurl 7.21.1.

Looks good.

Merov Linden March 29, 2011, 6:03 p.m. (March 29, 2011, 6:03 p.m.)
```
BTW, what's the JIRA for this patch?
```
Stone Linden March 30, 2011, 5:35 p.m. (March 30, 2011, 5:35 p.m.)
```
VWR-25286
```
Stone Linden March 30, 2011, 5:36 p.m. (March 30, 2011, 5:36 p.m.)
```
Sorry, VWR-25376
```

Bugs Closed
- added vwr-25376

Description:

adding the issue reference in the Bugs field

Looks good. 

Empty-string ("") is a signal to curl to send an Accept-Encoding header with any type it understands and can transparently decode on receipt. On the one hand, it might be nice to define a constant empty string so that this behavior is more obvious, but on the other using literal empty strings will match what people might search for.

You have a pending review.

Other reviews

Your comment

Review Board 1.6.11

This change has been marked as submitted.