SECURITY-PROCESS.md: Busy-loops are not security problems

author Daniel Stenberg <daniel@haxx.se>

Fri, 17 Mar 2023 23:08:13 +0000 (00:08 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Sat, 18 Mar 2023 08:59:23 +0000 (09:59 +0100)
author Daniel Stenberg <daniel@haxx.se>
Fri, 17 Mar 2023 23:08:13 +0000 (00:08 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Sat, 18 Mar 2023 08:59:23 +0000 (09:59 +0100)
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md

index 89026b6446bbc699f18070db410da27bde65dc44..1e85805d7603e8e1d71824d982ac310a926748a1 100644 (file)
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -260,3 +260,11 @@ security vulnerabilities.
   - virtually every argument can contain sensitive data, depending on use
   - blanking all arguments would make it impractical for users to differentiate
     curl command lines in process listings
+
+## Busy-loops
+
+Busy-loops that consume 100% CPU time but eventually end (perhaps due to a set
+timeout value or otherwise) are not considered security problems. Applications
+are supposed to already handle situations when the transfer loop legitimately
+consumes 100% CPU time, so while a prolonged such busy-loop is a nasty bug, we
+do not consider it a security problem.
author	Daniel Stenberg <daniel@haxx.se>
	Fri, 17 Mar 2023 23:08:13 +0000 (00:08 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Sat, 18 Mar 2023 08:59:23 +0000 (09:59 +0100)