Maximum allowed size for HTTP headers?

[etnt]

Should Yaws have a way to limit the acceptable size of the received HTTP headers? I think so :-)

See also: https://stackoverflow.com/questions/686217/maximum-on-http-header-values

[vinoski]

Currently there's a hard-coded limit of 1000 on the number of headers; see https://github.com/klacke/yaws/blob/master/src/yaws.erl#L2697 and https://github.com/klacke/yaws/blob/master/src/yaws.erl#L2835-L2836 . I agree it would be better to have a configurable size limit instead.

[etnt]

Sorry if I was unclear, but I meant the max allowed size of a header value. The reasoning behind this is to try and defend the system from malicious code sending in huge amount of data in a HTTP header causing the memory to run out.

[vinoski]

Yes, I agree that also needs to be addressed.

[vinoski]

Note BTW that the maximum length of a request header is controlled by the packet_size hard-coded to 16#4000 on line https://github.com/klacke/yaws/blob/master/src/yaws.erl#L2697 — if a request containing a header longer than that limit is sent, yaws:do_recv/3,4 returns {error,emsgsize}.

[gnaeser]

Yes, and no. Getting the headers is done by calling do_recv(CliSock, 0, SSL) which will get a possibly infinite line.

[vinoski]

I don't see how it can get an infinite line given the max packet size of 16#4000 set on the socket. I've run experiments with headers that exceed the 16#4000 limit and as I mentioned earlier, {error, emsgsize} is the result. Do you have an example or test case that shows otherwise?

[gnaeser]

Yes, a clean installation does not express the problem with long lines. I will investigate.