Limit header length

2023-03-30 20:08:27 +09:00 · 2023-03-30 20:08:27 +09:00 · 153bdddfc2
commit 153bdddfc2
parent 6439ebc476
2 changed files with 9 additions and 1 deletions
--- a/lib/net/http/header.rb
+++ b/lib/net/http/header.rb
@ -9,6 +9,8 @@
 # convenient formats.
 #
 module Net::HTTPHeader
+  MAX_KEY_LENGTH = 1024
+  MAX_FIELD_LENGTH = 65536

  def initialize_http_header(initheader)
    @header = {}
@ -19,6 +21,12 @@ module Net::HTTPHeader
        warn "net/http: nil HTTP header: #{key}", uplevel: 3 if $VERBOSE
      else
        value = value.strip # raise error for invalid byte sequences
+        if key.bytesize > MAX_KEY_LENGTH
+          raise ArgumentError, "too long (#{key.bytesize} bytes) header: #{key[0, 30].inspect}..."
+        end
+        if value.bytesize > MAX_FIELD_LENGTH
+          raise ArgumentError, "header #{key} has too long field vallue: #{value.bytesize}"
+        end
        if value.count("\r\n") > 0
          raise ArgumentError, "header #{key} has field value #{value.inspect}, this cannot include CR/LF"
        end
--- a/version.h
+++ b/version.h
@ -2,7 +2,7 @@
 # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR
 #define RUBY_VERSION_TEENY 8
 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR
-#define RUBY_PATCHLEVEL 223
+#define RUBY_PATCHLEVEL 224

 #define RUBY_RELEASE_YEAR 2023
 #define RUBY_RELEASE_MONTH 3