http: Restrict maximum size of http + headers #6859

Merged
merged 1 commit into from Oct 21, 2015

Conversation

Projects
None yet
5 participants
@laanwj
Member

laanwj commented Oct 20, 2015

Prevent memory exhaustion by sending lots of data.
Also add a test to httpbasics.py.

Closes #6425

@laanwj laanwj added the RPC/REST/ZMQ label Oct 20, 2015

@dcousens

This comment has been minimized.

Show comment
Hide comment
@dcousens

dcousens Oct 20, 2015

Contributor

Will this restrict #6844 such that transactions greater than 8kB will be restricted?

Contributor

dcousens commented Oct 20, 2015

Will this restrict #6844 such that transactions greater than 8kB will be restricted?

@@ -414,6 +417,7 @@ bool InitHTTPServer()
}
evhttp_set_timeout(http, GetArg("-rpcservertimeout", DEFAULT_HTTP_SERVER_TIMEOUT));
+ evhttp_set_max_headers_size(http, MAX_HEADERS_SIZE);

This comment has been minimized.

@dcousens

dcousens Oct 20, 2015

Contributor

Wait, this PR is only further restricting the headers.
Shouldn't the title be then: "http: Restrict maximum size of headers"

@dcousens

dcousens Oct 20, 2015

Contributor

Wait, this PR is only further restricting the headers.
Shouldn't the title be then: "http: Restrict maximum size of headers"

This comment has been minimized.

@pstratem

pstratem Oct 21, 2015

Contributor

This should also be restricting the body size, but to something much larger.

Edit: derp it is below!

@pstratem

pstratem Oct 21, 2015

Contributor

This should also be restricting the body size, but to something much larger.

Edit: derp it is below!

@laanwj

This comment has been minimized.

Show comment
Hide comment
@laanwj

laanwj Oct 20, 2015

Member

To be precise, it restricts the size of request line + headers, the first part of the request. The body is limited separately (to a much larger size).

#6844 should use POST data to submit the transaction, which is not affected by this.

Member

laanwj commented Oct 20, 2015

To be precise, it restricts the size of request line + headers, the first part of the request. The body is limited separately (to a much larger size).

#6844 should use POST data to submit the transaction, which is not affected by this.

@jgarzik

This comment has been minimized.

Show comment
Hide comment
@jgarzik

jgarzik Oct 20, 2015

Contributor

ut ACK - agree "http + headers" in commit msg seemed to imply http body

Contributor

jgarzik commented Oct 20, 2015

ut ACK - agree "http + headers" in commit msg seemed to imply http body

http: Restrict maximum size of request line + headers
Prevent memory exhaustion by sending lots of data.
Also add a test to `httpbasics.py`.

Closes #6425
@laanwj

This comment has been minimized.

Show comment
Hide comment
@laanwj

laanwj Oct 20, 2015

Member

Updated the ocmmit message

Member

laanwj commented Oct 20, 2015

Updated the ocmmit message

@sipa

This comment has been minimized.

Show comment
Hide comment
@sipa

sipa Oct 20, 2015

Member
Member

sipa commented Oct 20, 2015

@dcousens

This comment has been minimized.

Show comment
Hide comment
@dcousens

dcousens Oct 21, 2015

Contributor

ACK

Contributor

dcousens commented Oct 21, 2015

ACK

@pstratem

This comment has been minimized.

Show comment
Hide comment
@pstratem

pstratem Oct 21, 2015

Contributor

utACK

Contributor

pstratem commented Oct 21, 2015

utACK

@laanwj laanwj merged commit 41db8c4 into bitcoin:master Oct 21, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

laanwj added a commit that referenced this pull request Oct 21, 2015

Merge pull request #6859
41db8c4 http: Restrict maximum size of request line + headers (Wladimir J. van der Laan)

@dagurval dagurval referenced this pull request in bitcoinxt/bitcoinxt Jan 27, 2018

Merged

HTTP Server cherries #315

sickpig added a commit to sickpig/BitcoinUnlimited that referenced this pull request Mar 12, 2018

Port XT #315 from dagurval/28-01-httpserver
HTTP Server cherries from Core:

bitcoin/bitcoin#6719 - Make HTTP server shutdown more graceful
bitcoin/bitcoin#6859 - http: Restrict maximum size of http + headers
bitcoin/bitcoin#6990 - http: speed up shutdown
bitcoin/bitcoin#7966 - http: Do a pending c++11 simplification handling work items
bitcoin/bitcoin#8421 - httpserver: drop boost (#8023 dependency)
bitcoin/bitcoin#11006 - Improve shutdown process

@sickpig sickpig referenced this pull request in BitcoinUnlimited/BitcoinUnlimited Mar 12, 2018

Merged

HTTP servers Core ports #1005

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment