net/http: client's response header size not limited #9115
Labels
Milestone
Comments
To save the next guy who looks at this some time, it is actually ReadResponse that is not being careful about how much the server sends down to the client: https://tip.golang.org/src/net/http/response.go#L110 An simple first try might be to wrap the incoming *bufio.Reader in a MaxBytesReader. |
|
Too late for Go 1.5. |
|
CL https://golang.org/cl/21329 mentions this issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
by gima@iki.fi:
It doesn't seem to be possible to limit http client't response header size. I think this is important, as if a maliciously behaving server responds with too big headers, it would eat away the client's memory. So, the client's response header size should be limitable with some safe default, just the way it is for http server's request headers. This appears to be the place where the reading of the headers is done in one-go: > 591 func ReadRequest(b *bufio.Reader) (req *Request, err error) { > ... > 642 mimeHeader, err := tp.ReadMIMEHeader() > ... https://tip.golang.org/src/net/http/request.go#L642 (Hopefully I didn't miss anything that'd void my claim :)The text was updated successfully, but these errors were encountered: