# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1471524478 -7200
# Node ID d3646443a02ec7dc8f0d62bb7477b5922157563d
# Parent  3ae247af68f42a83fc5082f7789c7b78a9a2f045
net.http.parser: Add a limit on content length, default to 10M

diff -r 3ae247af68f4 -r d3646443a02e net/http/parser.lua
--- a/net/http/parser.lua	Sat Aug 13 20:19:08 2016 +0200
+++ b/net/http/parser.lua	Thu Aug 18 14:47:58 2016 +0200
@@ -29,6 +29,7 @@
 	local client = true;
 	if not parser_type or parser_type == "server" then client = false; else assert(parser_type == "client", "Invalid parser type"); end
 	local buf, buflen, buftable = {}, 0, true;
+	local bodylimit = 10*1024*1024;
 	local chunked, chunk_size, chunk_start;
 	local state = nil;
 	local packet;
@@ -88,6 +89,7 @@
 					if not first_line then error = true; return error_cb("invalid-status-line"); end
 					chunked = have_body and headers["transfer-encoding"] == "chunked";
 					len = tonumber(headers["content-length"]); -- TODO check for invalid len
+					if len and len > bodylimit then error = true; return error_cb("content-length-limit-exceeded"); end
 					if client then
 						-- FIXME handle '100 Continue' response (by skipping it)
 						if not have_body then len = 0; end