Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

WebSocket upgrade request body limit #2648

Closed
vietj opened this issue Oct 3, 2018 · 0 comments
Closed

WebSocket upgrade request body limit #2648

vietj opened this issue Oct 3, 2018 · 0 comments
Assignees
@vietj
Labels
bug major
Milestone
3.5.4

Comments

@vietj
Copy link
Member

vietj commented Oct 3, 2018

CVE-2018-12541: The WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.
@vietj vietj added this to the 3.5.4 milestone Oct 3, 2018
@vietj vietj self-assigned this Oct 3, 2018
vietj added a commit that referenced this issue Oct 3, 2018
@vietj
CVE-2018-12541: When a WebSocket upgrade has a body > 8192 send an ap…
269a583 
…propriate response immediately and close the connection afterward. - fixes #2648
@vietj vietj closed this as completed Oct 3, 2018
@vietj vietj mentioned this issue Oct 3, 2018
Closed
22 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@vietj vietj

Labels
bug major
Projects
None yet
Milestone
3.5.4
Development

No branches or pull requests
1 participant
@vietj