Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

return error when receiving too large headers #11582

Closed
wants to merge 4 commits into from
Closed

return error when receiving too large headers #11582

wants to merge 4 commits into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Aug 2, 2023
edited

To avoid abuse. The limit is set to [updated] 300 KB.

Test 497 verifies.

@github-actions github-actions bot added the tests label Aug 2, 2023
@bagder
Copy link
Member Author

bagder commented Aug 3, 2023
edited

I did some live tests with my Firefox and Chrome on Linux. Sending an endless stream of headers, when do they give up?

  • Firefox: around 1MB
  • Chrome: between 256KB and 300KB

Neither of them seems to have a fixed limit as repeated runs show different results.

Based on this, I think I should up the curl limit to 300KB.

@bagder
http: return error for receiving too large header set
b2bf22b 
To avoid abuse. The limit is set to 300 KB. Incomplete research suggests
that Chrome uses a 256-300 KB limit, while Firefox allows up to 1MB.

Closes #11582
@bagder
test497: verify rejecting too large incoming headers
0f4545b
@bagder
fixup test497 for the generic hyper error
882535c 
hyper has its own limit, I don't know what
@bagder
Copy link
Member Author

bagder commented Aug 3, 2023

hyper has (rather annoyingly) its own limit which also returns a generic error which makes it very hard for us to catch specifically making us forced to return a rather bad error code there.

Also, I don't know what the hyper limit is but I have asked: hyperium/hyper#3283

@bagder bagder closed this in 3ee79c1 Aug 3, 2023
@bagder bagder deleted the bagder/headers-maxsize branch August 3, 2023 15:13
ptitSeb pushed a commit to wasix-org/curl that referenced this pull request Sep 25, 2023
@bagder @ptitSeb
http: return error when receiving too large header set
4930338 
To avoid abuse. The limit is set to 300 KB for the accumulated size of
all received HTTP headers for a single response. Incomplete research
suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
1MB.

Closes curl#11582
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
tests
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@bagder