Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Maximum allowed size for HTTP headers? #398

Open
etnt opened this issue Dec 5, 2019 · 7 comments
Open

Maximum allowed size for HTTP headers? #398

etnt opened this issue Dec 5, 2019 · 7 comments

Comments

@etnt
Copy link
Collaborator

etnt commented Dec 5, 2019

Should Yaws have a way to limit the acceptable size of the received HTTP headers?
I think so :-)

See also: https://stackoverflow.com/questions/686217/maximum-on-http-header-values

@vinoski
Copy link
Collaborator

vinoski commented Dec 5, 2019

Currently there's a hard-coded limit of 1000 on the number of headers; see https://github.com/klacke/yaws/blob/master/src/yaws.erl#L2697 and https://github.com/klacke/yaws/blob/master/src/yaws.erl#L2835-L2836 . I agree it would be better to have a configurable size limit instead.

@etnt
Copy link
Collaborator Author

etnt commented Dec 11, 2019

Sorry if I was unclear, but I meant the max allowed size of a header value.
The reasoning behind this is to try and defend the system from malicious code sending in huge amount of data in a HTTP header causing the memory to run out.

@vinoski
Copy link
Collaborator

vinoski commented Dec 13, 2019

Yes, I agree that also needs to be addressed.

@vinoski
Copy link
Collaborator

vinoski commented Dec 15, 2019

Note BTW that the maximum length of a request header is controlled by the packet_size hard-coded to 16#4000 on line https://github.com/klacke/yaws/blob/master/src/yaws.erl#L2697 — if a request containing a header longer than that limit is sent, yaws:do_recv/3,4 returns {error,emsgsize}.

@gnaeser
Copy link

gnaeser commented Jan 21, 2020

Yes, and no. Getting the headers is done by calling do_recv(CliSock, 0, SSL) which will get a possibly infinite line.

@vinoski
Copy link
Collaborator

vinoski commented Jan 21, 2020

I don't see how it can get an infinite line given the max packet size of 16#4000 set on the socket. I've run experiments with headers that exceed the 16#4000 limit and as I mentioned earlier, {error, emsgsize} is the result. Do you have an example or test case that shows otherwise?

@gnaeser
Copy link

gnaeser commented Jan 28, 2020

Yes, a clean installation does not express the problem with long lines. I will investigate.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants