prosody
d3646443a02e
net/http/parser.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

net/http/parser.lua @ 7576:d3646443a02e

net.http.parser: Add a limit on content length, default to 10M
author Kim Alvefur <zash@zash.se>
date Thu, 18 Aug 2016 14:47:58 +0200
parent 7575:3ae247af68f4
child 7577:3dc52f1778db
comparison
equal deleted inserted replaced
7575:3ae247af68f4 7576:d3646443a02e
27 27
28 function httpstream.new(success_cb, error_cb, parser_type, options_cb) 28 function httpstream.new(success_cb, error_cb, parser_type, options_cb)
29 local client = true; 29 local client = true;
30 if not parser_type or parser_type == "server" then client = false; else assert(parser_type == "client", "Invalid parser type"); end 30 if not parser_type or parser_type == "server" then client = false; else assert(parser_type == "client", "Invalid parser type"); end
31 local buf, buflen, buftable = {}, 0, true; 31 local buf, buflen, buftable = {}, 0, true;
32 local bodylimit = 10*1024*1024;
32 local chunked, chunk_size, chunk_start; 33 local chunked, chunk_size, chunk_start;
33 local state = nil; 34 local state = nil;
34 local packet; 35 local packet;
35 local len; 36 local len;
36 local have_body; 37 local have_body;
86 end 87 end
87 end 88 end
88 if not first_line then error = true; return error_cb("invalid-status-line"); end 89 if not first_line then error = true; return error_cb("invalid-status-line"); end
89 chunked = have_body and headers["transfer-encoding"] == "chunked"; 90 chunked = have_body and headers["transfer-encoding"] == "chunked";
90 len = tonumber(headers["content-length"]); -- TODO check for invalid len 91 len = tonumber(headers["content-length"]); -- TODO check for invalid len
92 if len and len > bodylimit then error = true; return error_cb("content-length-limit-exceeded"); end
91 if client then 93 if client then
92 -- FIXME handle '100 Continue' response (by skipping it) 94 -- FIXME handle '100 Continue' response (by skipping it)
93 if not have_body then len = 0; end 95 if not have_body then len = 0; end
94 packet = { 96 packet = {
95 code = status_code; 97 code = status_code;