New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add setting to configure max header value length in Akka HTTP Server #8162

Merged
merged 2 commits into from Jul 26, 2018

Conversation

Projects
None yet
3 participants
@marcospereira
Copy link
Member

marcospereira commented Jan 16, 2018

Purpose

Netty Server already has a setting to configure max header value length, but there is not a direct setting to do the same for Akka HTTP Server.

Fixes

Fixes #7990.

}.skipUntilNettyHttpFixed
// Netty is not returning a bad request, but instead a 414 URI Too Long
// It is arguably that we should wait a 5. 431 Request Header Fields Too Large
// as defined in https://tools.ietf.org/html/rfc6585#section-5

This comment has been minimized.

@richdougherty

richdougherty Jan 16, 2018

Member

Instead of skipping for Netty, perhaps make the test accept either a 400 or 414? I agree with the point that a 431 is probably the right response, but any 4xx is probably OK. 🤷‍♂️

This comment has been minimized.

@marcospereira

marcospereira Jan 17, 2018

Member

Agree. Changed.

# This setting is set in `akka.http.server.parsing.max-header-value-length`
# and it limits the length of HTTP header values.
max-header-value-length = 8k
max-header-value-length = ${?akka.http.parsing.max-header-value-length}

This comment has been minimized.

@richdougherty

richdougherty Jan 16, 2018

Member

So this picks up Akka's default value?

This comment has been minimized.

@marcospereira

marcospereira Jan 17, 2018

Member

Yes. Akka default is 8k, by the way. I've added this to keep consistent if they change their default but maybe is not a good idea after all (since Play's default will change without further notice).

WDYT?

This comment has been minimized.

@schmitch

schmitch Feb 13, 2018

Member

Well I don't think the akka guys will change that without raising a minor version?

@marcospereira marcospereira force-pushed the marcospereira:max-header-value-length-setting branch from 4c76cfd to b61d94a Jan 17, 2018

@marcospereira marcospereira force-pushed the marcospereira:max-header-value-length-setting branch 2 times, most recently from b3fa61e to c63d251 Jan 22, 2018

richdougherty added a commit to richdougherty/playframework that referenced this pull request Mar 27, 2018

Update test to expect 431 status code for long headers
Since Akka HTTP 10.0.12 the status code has changed.

- See change to Akka HTTP:
  akka/akka-http#1800.
- Related PR in Play:
  playframework#8162

marcospereira added a commit that referenced this pull request Mar 27, 2018

Change Akka HTTP backend to use raw headers (#8314)
* Change Akka HTTP backend to use raw headers

Fixes #7733, #7735, #7719, #7997, #8205.

Maybe fixed, but not verified: #7737, #8149.

Most request and response headers are now unparsed by Akka HTTP
and stored as RawHeaders. That Akka HTTP won't log warnings, won't
reject headers and won't reformat headers.

Several headers are still parsed in order for Akka HTTP to
function properly: Content-Type, Content-Encoding, WebSocket related
headers, etc. These headers are in a whitelist in the Akka HTTP
source.

* Update test to expect 431 status code for long headers

Since Akka HTTP 10.0.12 the status code has changed.

- See change to Akka HTTP:
  akka/akka-http#1800.
- Related PR in Play:
  #8162

marcospereira added a commit to marcospereira/playframework that referenced this pull request Mar 28, 2018

Change Akka HTTP backend to use raw headers (playframework#8314)
* Change Akka HTTP backend to use raw headers

Fixes playframework#7733, playframework#7735, playframework#7719, playframework#7997, playframework#8205.

Maybe fixed, but not verified: playframework#7737, playframework#8149.

Most request and response headers are now unparsed by Akka HTTP
and stored as RawHeaders. That Akka HTTP won't log warnings, won't
reject headers and won't reformat headers.

Several headers are still parsed in order for Akka HTTP to
function properly: Content-Type, Content-Encoding, WebSocket related
headers, etc. These headers are in a whitelist in the Akka HTTP
source.

* Update test to expect 431 status code for long headers

Since Akka HTTP 10.0.12 the status code has changed.

- See change to Akka HTTP:
  akka/akka-http#1800.
- Related PR in Play:
  playframework#8162

marcospereira added a commit that referenced this pull request Apr 2, 2018

Change Akka HTTP backend to use raw headers (#8314) (#8319)
* Change Akka HTTP backend to use raw headers

Fixes #7733, #7735, #7719, #7997, #8205.

Maybe fixed, but not verified: #7737, #8149.

Most request and response headers are now unparsed by Akka HTTP
and stored as RawHeaders. That Akka HTTP won't log warnings, won't
reject headers and won't reformat headers.

Several headers are still parsed in order for Akka HTTP to
function properly: Content-Type, Content-Encoding, WebSocket related
headers, etc. These headers are in a whitelist in the Akka HTTP
source.

* Update test to expect 431 status code for long headers

Since Akka HTTP 10.0.12 the status code has changed.

- See change to Akka HTTP:
  akka/akka-http#1800.
- Related PR in Play:
  #8162

@marcospereira marcospereira force-pushed the marcospereira:max-header-value-length-setting branch from c63d251 to 2120634 Jul 18, 2018

@marcospereira marcospereira force-pushed the marcospereira:max-header-value-length-setting branch from 2120634 to 6b6c155 Jul 18, 2018

@marcospereira marcospereira merged commit 5f6dcaa into playframework:master Jul 26, 2018

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
typesafe-cla-validator All users have signed the CLA
Details

@marcospereira marcospereira deleted the marcospereira:max-header-value-length-setting branch Jul 26, 2018

marcospereira added a commit that referenced this pull request Aug 16, 2018

Add setting to configure max header value length in Akka HTTP Server (#…
…8162)

* Add setting to configure max header value length in Akka HTTP Server

* Configure mima filters
@marcospereira

This comment has been minimized.

Copy link
Member

marcospereira commented Aug 16, 2018

Backport to 2.6.x: 90c6b3c

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment