From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 17 Mar 2023 23:08:13 +0000 (+0100)
Subject: SECURITY-PROCESS.md: Busy-loops are not security problems
X-Git-Tag: curl-8_0_0~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bb334dfdde73fba5601565f47572ec10c67bc62b;p=thirdparty%2Fcurl.git

SECURITY-PROCESS.md: Busy-loops are not security problems

Closes #10790
---

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 89026b6446..1e85805d76 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -260,3 +260,11 @@ security vulnerabilities.
  - virtually every argument can contain sensitive data, depending on use
  - blanking all arguments would make it impractical for users to differentiate
    curl command lines in process listings
+
+## Busy-loops
+
+Busy-loops that consume 100% CPU time but eventually end (perhaps due to a set
+timeout value or otherwise) are not considered security problems. Applications
+are supposed to already handle situations when the transfer loop legitimately
+consumes 100% CPU time, so while a prolonged such busy-loop is a nasty bug, we
+do not consider it a security problem.