Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebSocket upgrade request body limit #2648

Closed
vietj opened this issue Oct 3, 2018 · 0 comments
Closed

WebSocket upgrade request body limit #2648

vietj opened this issue Oct 3, 2018 · 0 comments
Assignees
@vietj
Labels
bug major
Milestone
3.5.4

Comments

@vietj
Copy link
Member

vietj commented Oct 3, 2018

CVE-2018-12541: The WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.
@vietj vietj added this to the 3.5.4 milestone Oct 3, 2018
@vietj vietj self-assigned this Oct 3, 2018
vietj added a commit that referenced this issue Oct 3, 2018
@vietj
CVE-2018-12541: When a WebSocket upgrade has a body > 8192 send an ap…
269a583 
…propriate response immediately and close the connection afterward. - fixes #2648
@vietj vietj closed this as completed Oct 3, 2018
@vietj vietj mentioned this issue Oct 3, 2018
Closed
22 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vietj vietj

Labels
bug major
Projects
None yet
Milestone
3.5.4
Development

No branches or pull requests
1 participant
@vietj