what's this supposed to resolve ? your solution uses a VLA, which is 1) a C99 feature and 2) potentially unsafe. iirc the spec mentions a max size of 255 for both username and password.

Regardless of specs I have an upstream proxy using longer user/pass than 255. So actually I need it. Ok, I understand it is not the best solution, but somehow I needed to fix it. Do you have any ideas how to make it safe and compliant?

is the combo of user/pass longer than 255 or a single one of them ?
i guess the best course of action is to first dig up the relevant RFC for basic auth and then make an informed decision.

actually it is a very long username, it is token rather than a "username". quickly looked at rfcs, have not found any length limitation yet. but actual implementations like Apache also has 255 hardcoded: https://httpd.apache.org/docs/2.4/programs/htpasswd.html#restrictions

btw, until this is only mine problem I wouldn't think it is necessary to add it to the prod branch. otherwise, if we don't want to introduce VLA, a basic workaround could be using a compile time option for the length 255 (and leave 255 as default). but I am also happy with my fork if I want to use tinyproxy in this very special situation. so don't feel a pressure, if you want, you can close this PR, I won't be sad. :)

the RFC does indeed not mention any limits, though it is certainly reasonable to have some. since socks5 restricts each of username/pass to 255 chars, we could eventually allow the same for http auth, meaning a total of 510 chars for both.

thanks, unfortuntaly it does not help for my current use case. "username" is ~1k chars long.