Implement --limit-request-header-count flag

docs/deployment.md

@@ -97,6 +97,10 @@ Options:
   --limit-concurrency INTEGER     Maximum number of concurrent connections or
                                   tasks to allow, before issuing HTTP 503
                                   responses.
+  --limit-request-header-count INTEGER
+                                  Maximum number of HTTP headers to accept.
+                                  Defaults to 100, and it can't be larger than
+                                  32768.
   --backlog INTEGER               Maximum number of connections to hold in
                                   backlog
   --limit-max-requests INTEGER    Maximum number of requests to service before

docs/index.md

@@ -164,6 +164,10 @@ Options:
   --limit-concurrency INTEGER     Maximum number of concurrent connections or
                                   tasks to allow, before issuing HTTP 503
                                   responses.
+  --limit-request-header-count INTEGER
+                                  Maximum number of HTTP headers to accept.
+                                  Defaults to 100, and it can't be larger than
+                                  32768.
   --backlog INTEGER               Maximum number of connections to hold in
                                   backlog
   --limit-max-requests INTEGER    Maximum number of requests to service before

tests/protocols/test_http.py

@@ -96,6 +96,16 @@
     b"".join([b"x" * 32 * 1024 + b"\r\n", b"\r\n", b"\r\n"]),
 ]
 
+TOO_MANY_HEADERS = b"\r\n".join(
+    [
+        b"GET / HTTP/1.1",
+        b"Host: example.org",
+        *[f"{a}: {a}".encode() for a in range(101)],
+        b"",
+        b"",
+    ]
+)
+
 
 class MockTransport:
     def __init__(self, sockname=None, peername=None, sslcontext=False):
@@ -885,3 +895,13 @@ async def test_huge_headers_h11_max_incomplete():
     await protocol.loop.run_one()
     assert b"HTTP/1.1 200 OK" in protocol.transport.buffer
     assert b"Hello, world" in protocol.transport.buffer
+
+
+@pytest.mark.anyio
+async def test_too_many_headers():
+    app = Response("Hello, world", media_type="text/plain")
+
+    protocol = get_connected_protocol(app, HttpToolsProtocol)
+    protocol.data_received(TOO_MANY_HEADERS)
+    assert b"HTTP/1.1 400 Bad Request" in protocol.transport.buffer
+    assert b"Too many headers in request." in protocol.transport.buffer

uvicorn/config.py

@@ -88,6 +88,9 @@
 INTERFACES: List[InterfaceType] = ["auto", "asgi3", "asgi2", "wsgi"]
 
 
+# Use the same value as gunicorn
+# https://github.com/benoitc/gunicorn/blob/cf55d2cec277f220ebd605989ce78ad1bb553c46/gunicorn/http/message.py#L21
+MAX_HEADERS = 32768
 SSL_PROTOCOL_VERSION: int = ssl.PROTOCOL_TLS_SERVER
 
 
@@ -240,6 +243,7 @@ def __init__(
         root_path: str = "",
         limit_concurrency: Optional[int] = None,
         limit_max_requests: Optional[int] = None,
+        limit_request_header_count: int = 100,
         backlog: int = 2048,
         timeout_keep_alive: int = 5,
         timeout_notify: int = 30,
@@ -282,6 +286,7 @@ def __init__(
         self.root_path = root_path
         self.limit_concurrency = limit_concurrency
         self.limit_max_requests = limit_max_requests
+        self.limit_request_header_count = min(limit_request_header_count, MAX_HEADERS)
         self.backlog = backlog
         self.timeout_keep_alive = timeout_keep_alive
         self.timeout_notify = timeout_notify

uvicorn/main.py

@@ -255,6 +255,13 @@ def print_version(ctx: click.Context, param: click.Parameter, value: bool) -> No
     help="Maximum number of concurrent connections or tasks to allow, before issuing"
     " HTTP 503 responses.",
 )
+@click.option(
+    "--limit-request-header-count",
+    type=int,
+    default=100,
+    help="Maximum number of HTTP headers to accept. "
+    "Defaults to 100, and it can't be larger than 32768.",
+)
 @click.option(
     "--backlog",
     type=int,
@@ -385,6 +392,7 @@ def main(
     forwarded_allow_ips: str,
     root_path: str,
     limit_concurrency: int,
+    limit_request_header_count: int,
     backlog: int,
     limit_max_requests: int,
     timeout_keep_alive: int,
@@ -432,6 +440,7 @@ def main(
         forwarded_allow_ips=forwarded_allow_ips,
         root_path=root_path,
         limit_concurrency=limit_concurrency,
+        limit_request_header_count=limit_request_header_count,
         backlog=backlog,
         limit_max_requests=limit_max_requests,
         timeout_keep_alive=timeout_keep_alive,
@@ -484,6 +493,7 @@ def run(
     forwarded_allow_ips: typing.Optional[typing.Union[typing.List[str], str]] = None,
     root_path: str = "",
     limit_concurrency: typing.Optional[int] = None,
+    limit_request_header_count: int = 100,
     backlog: int = 2048,
     limit_max_requests: typing.Optional[int] = None,
     timeout_keep_alive: int = 5,

uvicorn/protocols/http/httptools_impl.py

@@ -104,6 +104,7 @@ def __init__(
         self.headers: List[Tuple[bytes, bytes]] = None  # type: ignore[assignment]
         self.expect_100_continue = False
         self.cycle: RequestResponseCycle = None  # type: ignore[assignment]
+        self.too_many_headers = False
 
     # Protocol interface
     def connection_made(  # type: ignore[override]
@@ -154,7 +155,10 @@ def data_received(self, data: bytes) -> None:
         try:
             self.parser.feed_data(data)
         except httptools.HttpParserError:
-            msg = "Invalid HTTP request received."
+            if self.too_many_headers:
+                msg = "Too many headers in request."
+            else:
+                msg = "Invalid HTTP request received."
             self.logger.warning(msg)
             self.send_400_response(msg)
             return
@@ -236,6 +240,13 @@ def on_header(self, name: bytes, value: bytes) -> None:
         if name == b"expect" and value.lower() == b"100-continue":
             self.expect_100_continue = True
         self.headers.append((name, value))
+        if len(self.headers) >= self.config.limit_request_header_count:
+            self.too_many_headers = True
+
+            # The exception here doesn't matter. The parser will catch any exception on
+            # the `on_header` callback and send raise a `HttpParserCallbackError` on the
+            # `feed_data` method.
+            raise httptools.HttpParserCallbackError()
 
     def on_headers_complete(self) -> None:
         http_version = self.parser.get_http_version()

uvicorn/workers.py

@@ -39,6 +39,7 @@ def __init__(self, *args: Any, **kwargs: Any) -> None:
             "timeout_notify": self.timeout,
             "callback_notify": self.callback_notify,
             "limit_max_requests": self.max_requests,
+            "limit_request_header_count": self.cfg.limit_request_fields,
             "forwarded_allow_ips": self.cfg.forwarded_allow_ips,
         }