Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: set MaxResponseHeaderBytes in DefaultTransport? #26315

Closed
bradfitz opened this issue Jul 10, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@bradfitz
Copy link
Member

commented Jul 10, 2018

Should we set MaxResponseHeaderBytes to something non-zero in http.DefaultTransport?

Even if it it's something insane, like 10MB? Just to put some protection on it for users.

@bradfitz bradfitz added this to the Go1.12 milestone Jul 10, 2018

@bradfitz bradfitz self-assigned this Jul 10, 2018

@rsc

This comment has been minimized.

Copy link
Contributor

commented Sep 26, 2018

Are there other protection defaults we missed? 10 MB seems OK. (Or check with Chrome team.)

@rsc rsc added the NeedsFix label Sep 26, 2018

@gopherbot

This comment has been minimized.

Copy link

commented Sep 26, 2018

Change https://golang.org/cl/137717 mentions this issue: net/http: set MaxResponseHeaderBytes on DefaultTransport

@bradfitz

This comment has been minimized.

Copy link
Member Author

commented Oct 2, 2018

@dmitshur points out that https://go-review.googlesource.com/c/go/+/21329/2/src/net/http/transport.go already defined the zero value to mean 10 MB.

So there's nothing to do here.

@bradfitz bradfitz closed this Oct 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.