Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: optional Request-line length limit #15494

Closed
markstgodard opened this issue Apr 29, 2016 · 7 comments

Comments

Projects
None yet
3 participants
@markstgodard
Copy link

commented Apr 29, 2016

Using net/http ReverseProxy server and encountering cases where it would be ideal to reject HTTP requests that exceed a request-line greater than some configurable value.

According to the RFC and request-line:

Request-Line   = Method SP Request-URI SP HTTP-Version CRLF

there is no predefined limit on the request line size, so the http server in go is doing the right thing.

However scenarios such as plain old invalid requests or potentially malicious requests with large payloads, it would be ideal to have the option to cap the request-line and return a 400 - Bad Request.

Any thoughts on potentially providing optional support to have a max length request line?

Cheers

@bradfitz

This comment has been minimized.

Copy link
Member

commented Apr 30, 2016

Can't you just do it yourself in your http.Handler or Handler wrapper? We already give you the Server.MaxHeaderBytes knob as a DoS prevention mechanism.

@bradfitz bradfitz added this to the Unplanned milestone Apr 30, 2016

@bradfitz bradfitz changed the title Optional Request-line limit length net/http: optional Request-line length limit Apr 30, 2016

@markstgodard

This comment has been minimized.

Copy link
Author

commented Apr 30, 2016

Hi @bradfitz

Thanks for the info.

I originally thought that Server.MaxHeaderBytes was only limiting the reader of all the HTTP headers, but this would also include Read-Line?

I did a quick test and seems like it also is limiting the read-line

Thanks

@bradfitz

This comment has been minimized.

Copy link
Member

commented Apr 30, 2016

I'll send a documentation change.

@markstgodard

This comment has been minimized.

Copy link
Author

commented Apr 30, 2016

Thanks for clarifying! 👍 🍺

@gopherbot gopherbot closed this in 38cfaa5 Apr 30, 2016

@markstgodard

This comment has been minimized.

Copy link
Author

commented May 2, 2016

Hi @bradfitz

One last question, would you be open to having a separate Server.MaxRequestLineBytes so that you could control the limits of request-line and headers independently?

The problem I am having right now is coming up with a value that works for both headers vs. request line.

I'd also be happy to submit a contribution to help.

Cheers

@bradfitz

This comment has been minimized.

Copy link
Member

commented May 2, 2016

No, we have enough knobs. I don't think there's enough of a use case to warrant a new knob.

@markstgodard

This comment has been minimized.

Copy link
Author

commented May 2, 2016

Fair enough
Cheers

@golang golang locked and limited conversation to collaborators May 2, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.