Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: client's response header size not limited #9115

Closed
gopherbot opened this issue Nov 17, 2014 · 4 comments

Comments

Projects
None yet
5 participants
@gopherbot
Copy link

commented Nov 17, 2014

by gima@iki.fi:

It doesn't seem to be possible to limit http client't response header size.

I think this is important, as if a maliciously behaving server responds with too big
headers, it would eat away the client's memory. So, the client's response header size
should be limitable with some safe default, just the way it is for http server's request
headers.

This appears to be the place where the reading of the headers is done in one-go:
> 591  func ReadRequest(b *bufio.Reader) (req *Request, err error) {
> ...
> 642      mimeHeader, err := tp.ReadMIMEHeader()
> ...
https://tip.golang.org/src/net/http/request.go#L642


(Hopefully I didn't miss anything that'd void my claim :)
@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Nov 17, 2014

Comment 1:

Labels changed: added repo-main, release-go1.5.

@jeffallen

This comment has been minimized.

Copy link
Contributor

commented Nov 20, 2014

Comment 2:

To save the next guy who looks at this some time, it is actually ReadResponse that is
not being careful about how much the server sends down to the client:
https://tip.golang.org/src/net/http/response.go#L110
An simple first try might be to wrap the incoming *bufio.Reader in a MaxBytesReader.

@gopherbot gopherbot added new labels Nov 20, 2014

@bradfitz bradfitz modified the milestone: Go1.5 Dec 16, 2014

@rsc rsc removed the repo-main label Apr 14, 2015

@rsc

This comment has been minimized.

Copy link
Contributor

commented Jun 29, 2015

Too late for Go 1.5.

@rsc rsc modified the milestones: Unplanned, Go1.5 Jun 29, 2015

@bradfitz bradfitz self-assigned this Mar 31, 2016

@gopherbot

This comment has been minimized.

Copy link
Author

commented Mar 31, 2016

CL https://golang.org/cl/21329 mentions this issue.

@bradfitz bradfitz modified the milestones: Go1.7, Unplanned Mar 31, 2016

@gopherbot gopherbot closed this in 36feb1a Apr 1, 2016

@golang golang locked and limited conversation to collaborators Apr 1, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.