Skip to content
This repository was archived by the owner on Nov 6, 2022. It is now read-only.

support overriding HTTP_MAX_HEADER_SIZE at runtime #453

Merged
cjihrig merged 1 commit into from
Dec 20, 2018
Merged

support overriding HTTP_MAX_HEADER_SIZE at runtime #453

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
support overriding HTTP_MAX_HEADER_SIZE at runtime 
This commit adds http_parser_set_max_header_size(), which can
override the compile time HTTP_MAX_HEADER_SIZE value.

Fixes: nodejs/node#24692
Refs: nodejs/node#24811
PR-URL: #453
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information
@cjihrig
cjihrig committed Dec 20, 2018
commit 0ae8d93f7335c0279f37b5ca5c26ea881ac17586
17 changes: 12 additions & 5 deletions http_parser.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@
#include <string.h>
#include <limits.h>

static uint32_t max_header_size = HTTP_MAX_HEADER_SIZE;

#ifndef ULLONG_MAX
# define ULLONG_MAX ((uint64_t) -1) /* 2^64-1 */
#endif
Expand Down Expand Up @@ -139,20 +141,20 @@ do { \
} while (0)

/* Don't allow the total size of the HTTP headers (including the status
* line) to exceed HTTP_MAX_HEADER_SIZE. This check is here to protect
* line) to exceed max_header_size. This check is here to protect
* embedders against denial-of-service attacks where the attacker feeds
* us a never-ending header that the embedder keeps buffering.
*
* This check is arguably the responsibility of embedders but we're doing
* it on the embedder's behalf because most won't bother and this way we
* make the web a little safer. HTTP_MAX_HEADER_SIZE is still far bigger
* make the web a little safer. max_header_size is still far bigger
* than any reasonable request or response so this should never affect
* day-to-day operation.
*/
#define COUNT_HEADER_SIZE(V) \
do { \
nread += (V); \
if (UNLIKELY(nread > (HTTP_MAX_HEADER_SIZE))) { \
if (UNLIKELY(nread > max_header_size)) { \
SET_ERRNO(HPE_HEADER_OVERFLOW); \
goto error; \
} \
Expand Down Expand Up @@ -1256,7 +1258,7 @@ size_t http_parser_execute (http_parser *parser,
switch (parser->header_state) {
case h_general: {
size_t limit = data + len - p;
limit = MIN(limit, HTTP_MAX_HEADER_SIZE);
limit = MIN(limit, max_header_size);
while (p+1 < data + limit && TOKEN(p[1])) {
p++;
}
Expand Down Expand Up @@ -1494,7 +1496,7 @@ size_t http_parser_execute (http_parser *parser,
const char* p_lf;
size_t limit = data + len - p;

limit = MIN(limit, HTTP_MAX_HEADER_SIZE);
limit = MIN(limit, max_header_size);

p_cr = (const char*) memchr(p, CR, limit);
p_lf = (const char*) memchr(p, LF, limit);
Expand Down Expand Up @@ -2478,3 +2480,8 @@ http_parser_version(void) {
HTTP_PARSER_VERSION_MINOR * 0x00100 |
HTTP_PARSER_VERSION_PATCH * 0x00001;
}

void
http_parser_set_max_header_size(uint32_t size) {
max_header_size = size;
}
3 changes: 3 additions & 0 deletions http_parser.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,9 @@ void http_parser_pause(http_parser *parser, int paused);
/* Checks if this is the final chunk of the body. */
int http_body_is_final(const http_parser *parser);

/* Change the maximum header size provided at compile time. */
void http_parser_set_max_header_size(uint32_t size);

#ifdef __cplusplus
}
#endif
Expand Down