Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: optional Request-line length limit #15494

Closed
markstgodard opened this issue Apr 29, 2016 · 7 comments
Closed

net/http: optional Request-line length limit #15494

markstgodard opened this issue Apr 29, 2016 · 7 comments

Comments

@markstgodard
Copy link

Using net/http ReverseProxy server and encountering cases where it would be ideal to reject HTTP requests that exceed a request-line greater than some configurable value.

According to the RFC and request-line:

Request-Line   = Method SP Request-URI SP HTTP-Version CRLF

there is no predefined limit on the request line size, so the http server in go is doing the right thing.

However scenarios such as plain old invalid requests or potentially malicious requests with large payloads, it would be ideal to have the option to cap the request-line and return a 400 - Bad Request.

Any thoughts on potentially providing optional support to have a max length request line?

Cheers

@bradfitz
Copy link
Contributor

Can't you just do it yourself in your http.Handler or Handler wrapper? We already give you the Server.MaxHeaderBytes knob as a DoS prevention mechanism.

@bradfitz bradfitz added this to the Unplanned milestone Apr 30, 2016
@bradfitz bradfitz changed the title Optional Request-line limit length net/http: optional Request-line length limit Apr 30, 2016
@markstgodard
Copy link
Author

Hi @bradfitz

Thanks for the info.

I originally thought that Server.MaxHeaderBytes was only limiting the reader of all the HTTP headers, but this would also include Read-Line?

I did a quick test and seems like it also is limiting the read-line

Thanks

@bradfitz
Copy link
Contributor

I'll send a documentation change.

@markstgodard
Copy link
Author

Thanks for clarifying! 👍 🍺

@markstgodard
Copy link
Author

Hi @bradfitz

One last question, would you be open to having a separate Server.MaxRequestLineBytes so that you could control the limits of request-line and headers independently?

The problem I am having right now is coming up with a value that works for both headers vs. request line.

I'd also be happy to submit a contribution to help.

Cheers

@bradfitz
Copy link
Contributor

bradfitz commented May 2, 2016

No, we have enough knobs. I don't think there's enough of a use case to warrant a new knob.

@markstgodard
Copy link
Author

Fair enough
Cheers

@golang golang locked and limited conversation to collaborators May 2, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants