TROVE-2021-001: Bug in dump_desc() code

The dump_desc() code dumps its entire input, but it is sometimes called with an input that extends beyond the end of the string.

This can cause two kinds of bugs:

• A CPU-based DOS bug, where we try to parse a string that contains a zillion tiny unparseable descriptors.
• Possibly, an unbounded read bug, where we read off the end of an allocation. The latter is not a privacy leak, since we don't expose the data, but it could be a crash bug. (I think it might not even be a crash bug, since we NUL-terminate our downloads, but we should check.)

For 0.3.5 through 0.4.4, I believe we should just disable dump_desc().

For a real fix, we should give it a length argument.