You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It doesn't seem to be possible to limit http client't response header size.
I think this is important, as if a maliciously behaving server responds with too big
headers, it would eat away the client's memory. So, the client's response header size
should be limitable with some safe default, just the way it is for http server's request
headers.
This appears to be the place where the reading of the headers is done in one-go:
> 591 func ReadRequest(b *bufio.Reader) (req *Request, err error) {
> ...
> 642 mimeHeader, err := tp.ReadMIMEHeader()
> ...
https://tip.golang.org/src/net/http/request.go#L642
(Hopefully I didn't miss anything that'd void my claim :)
The text was updated successfully, but these errors were encountered:
To save the next guy who looks at this some time, it is actually ReadResponse that is
not being careful about how much the server sends down to the client:
https://tip.golang.org/src/net/http/response.go#L110
An simple first try might be to wrap the incoming *bufio.Reader in a MaxBytesReader.
by gima@iki.fi:
The text was updated successfully, but these errors were encountered: