Add comment indicating source of signature budget

ctz · cpu · commit 737cfecfa758 · 2023-09-08T14:47:53.000-04:00
diff --git a/src/verify_cert.rs b/src/verify_cert.rs
@@ -242,7 +242,13 @@ impl Budget {
 
 impl Default for Budget {
     fn default() -> Self {
-        Self { signatures: 100 }
+        Self {
+            // This limit is taken from the remediation for golang CVE-2018-16875.  However,
+            // note that golang subsequently implemented AKID matching due to this limit
+            // being hit in real applications (see <https://github.com/spiffe/spire/issues/1004>).
+            // So this may actually be too aggressive.
+            signatures: 100,
+        }
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -242,7 +242,13 @@ impl Budget {`
`242`	`242`
`243`	`243`	`impl Default for Budget {`
`244`	`244`	`fn default() -> Self {`
`245`		`- Self { signatures: 100 }`
	`245`	`+ Self {`
	`246`	`+ // This limit is taken from the remediation for golang CVE-2018-16875. However,`
	`247`	`+ // note that golang subsequently implemented AKID matching due to this limit`
	`248`	`+ // being hit in real applications (see <https://github.com/spiffe/spire/issues/1004>).`
	`249`	`+ // So this may actually be too aggressive.`
	`250`	`+ signatures: 100,`
	`251`	`+ }`
`246`	`252`	`}`
`247`	`253`	`}`
`248`	`254`