Jean Jacques Drouin pointed out that you could only have a user name or

password of 127 bytes or less embedded in a URL, where actually the code
uses a 255 byte buffer for it! Modified now to use the full buffer size.

CHANGES

@@ -8,6 +8,14 @@
 
 
 
+Daniel (16 December 2005)
+- Jean Jacques Drouin pointed out that you could only have a user name or
+  password of 127 bytes or less embedded in a URL, where actually the code
+  uses a 255 byte buffer for it! Modified now to use the full buffer size.
+
+Daniel (12 December 2005)
+- Dov Murik corrected the HTTP_ONLY define to disable the TFTP support properly
+
 Version 7.15.1 (7 December 2005)
 
 Daniel (6 December 2005)

RELEASE-NOTES

@@ -15,14 +15,16 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
- o 
+ o supports name and passwords up to 255 bytes long, embedded in URLs
+ o the HTTP_ONLY define disables the TFTP support
 
 Other curl-related news since the previous public release:
 
- o 
+ o http://curl.hkmirror.org/ is a new curl web mirror in Hong Kong
 
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
+ Dov Murik, Jean Jacques Drouin
  
         Thanks! (and sorry if I forgot to mention someone)

lib/url.c

@@ -3166,12 +3166,13 @@ static CURLcode CreateConnection(struct SessionHandle *data,
 
         if(*userpass != ':') {
           /* the name is given, get user+password */
-          sscanf(userpass, "%127[^:@]:%127[^@]",
+          sscanf(userpass, "%" MAX_CURL_USER_LENGTH_TXT "[^:@]:"
+                 "%" MAX_CURL_PASSWORD_LENGTH_TXT "[^@]",
                  user, passwd);
         }
         else
           /* no name given, get the password only */
-          sscanf(userpass, ":%127[^@]", passwd);
+          sscanf(userpass, ":%" MAX_CURL_PASSWORD_LENGTH_TXT "[^@]", passwd);
 
         if(user[0]) {
           char *newname=curl_unescape(user, 0);