1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ruby/net-http] Limit header length

Browse Source 
https://github.com/ruby/net-http/commit/c245f7f9c8
This commit is contained in:
NAKAMURA Usaku 2023-03-30 20:10:01 +09:00 committed by git
parent 2093e4c2db
commit d8b8294c28
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/net/http/header.rb
View File

@ -179,6 +179,8 @@
# - #each_value: Passes each string field value to the block. # - #each_value: Passes each string field value to the block.
# #
module Net::HTTPHeader module Net::HTTPHeader
MAX_KEY_LENGTH = 1024
MAX_FIELD_LENGTH = 65536
def initialize_http_header(initheader) #:nodoc: def initialize_http_header(initheader) #:nodoc:
@header = {} @header = {}
@ -189,6 +191,12 @@ module Net::HTTPHeader
warn "net/http: nil HTTP header: #{key}", uplevel: 3 if $VERBOSE warn "net/http: nil HTTP header: #{key}", uplevel: 3 if $VERBOSE
else else
value = value.strip # raise error for invalid byte sequences value = value.strip # raise error for invalid byte sequences
if key.bytesize > MAX_KEY_LENGTH
raise ArgumentError, "too long (#{key.bytesize} bytes) header: #{key[0, 30].inspect}..."
end
if value.bytesize > MAX_FIELD_LENGTH
raise ArgumentError, "header #{key} has too long field vallue: #{value.bytesize}"
end
if value.count("\r\n") > 0 if value.count("\r\n") > 0
raise ArgumentError, "header #{key} has field value #{value.inspect}, this cannot include CR/LF" raise ArgumentError, "header #{key} has field value #{value.inspect}, this cannot include CR/LF"
end end