Download Install Tutorial Docs FAQ Tools WikiLicense Team IRC Planet Involvement Shop Book

Ticket #90 (defect)

Opened 4 years ago

Last modified 3 years ago

Limit size of request header and body

Status: closed (fixed)

Reported by: rdelon Assigned to: rdelon
Priority: normal Milestone: 2.1-rc1
Component: CherryPy code Keywords:
Cc:

Change History

08/23/05 11:02:45: Modified by lawouach

Could someone explain this one?

08/23/05 11:06:49: Modified by rdelon

This is to protect us against attacks ... Someone could send a huge request header or body and block a thread for a long time ... So if the request header or body is over a certain limit we should just stop reading the request and abort. These parameters should be configurable.

08/23/05 11:13:28: Modified by lawouach

True.

And in this case, we should send HTTP code 413 : http://rfc.net/rfc2616.html#s10.4.14

08/23/05 11:16:08: Modified by lawouach

See also :

http://rfc.net/rfc2616.html#s10.4.14

08/23/05 11:18:23: Modified by lawouach

oops i meant:

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.20

08/28/05 13:08:46: Modified by lawouach

To be useful we need to test the length of the header entity and the body entity early in the process.

It either means we need to let the server handlers (WSGI, built-in HTTP, or else) do the job, or we need to do that in processRequestHeaders() and processRequestBody().

The former one seems to get the headers through self.requestHeaders which is a generator, thus we can't compute its length. We can wait for the request.headerMap to be filled up. But then it seems to be lae in the process IMO.

The latter is either to be done once FieldStorage? has been called or before, but again it sounds late to be really useful.

So, I feel like we should leave that to the server handlers instead as a good practice.

09/01/05 19:07:25: Modified by mikerobi

server.maxRequestSize can now be used to set the maximum size a post body.

09/01/05 20:18:19: Modified by fumanchu

Changeset [585] partially addresses this.

Do we really need per-path config on this, though? It seems to me that server.maxRequestSize could be inspected once (on server.start()) to set cgi.maxlen. I certainly don't think we need a threadlocal object involved; in fact, I have my doubts it's working as expected. It would be good to see a decisive test in test_core. 

>>> cgi.maxlen
<cherrypy._cpcgifs.LocalInt instance at 0x01062710>
>>> cgi.maxlen == 5
False

09/05/05 06:03:39: Modified by rdelon

  • milestone set to 2.1-rc1.

09/06/05 12:53:51: Modified by mikerobi

I'm perfectly happy making this a global setting.

09/11/05 13:59:32: Modified by rdelon

Implementation done in [626]. Still need to write docs for new config options

09/12/05 12:51:58: Modified by rdelon

  • status changed from new to closed.
  • resolution set to fixed.

Done in changeset [626] (code) and [628] (docs)

Hosted by WebFaction

Log in as guest/cpguest to create tickets