New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebSocket upgrade request body limit #2648

Closed
vietj opened this Issue Oct 3, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@vietj
Contributor

vietj commented Oct 3, 2018

CVE-2018-12541: The WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.

@vietj vietj added major bug labels Oct 3, 2018

@vietj vietj added this to the 3.5.4 milestone Oct 3, 2018

@vietj vietj self-assigned this Oct 3, 2018

vietj added a commit that referenced this issue Oct 3, 2018

CVE-2018-12541: When a WebSocket upgrade has a body > 8192 send an ap…
…propriate response immediately and close the connection afterward. - fixes #2648

@vietj vietj closed this Oct 3, 2018

@vietj vietj referenced this issue Oct 3, 2018

Closed

Vert.x 3.5.4 umbrella issue #401

22 of 22 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment