Remove upper limit on max header size config (#1313)

Fixes #1306
2026-01-14 11:09:11 +08:00 · 2016-09-17 11:49:05 +02:00 · 2016-09-17 11:49:05 +02:00 · 70cfb0d818
commit 70cfb0d818
parent 2b839ca144
7 changed files with 35 additions and 8 deletions
--- a/gunicorn/config.py
+++ b/gunicorn/config.py
@ -793,8 +793,12 @@ class LimitRequestFieldSize(Setting):
    desc = """\
        Limit the allowed size of an HTTP request header field.

-        Value is a number from 0 (unlimited) to 8190. to set the limit
-        on the allowed size of an HTTP request header field.
+        Value is a positive number or 0. Setting it to 0 will allow unlimited
+        header field sizes.
+
+        .. warning::
+           Setting this parameter to a very high or unlimited value can open
+           up for DDOS attacks.
        """


--- a/gunicorn/http/message.py
+++ b/gunicorn/http/message.py
@ -19,7 +19,7 @@ from gunicorn._compat import urlsplit

 MAX_REQUEST_LINE = 8190
 MAX_HEADERS = 32768
-MAX_HEADERFIELD_SIZE = 8190
+DEFAULT_MAX_HEADERFIELD_SIZE = 8190

 HEADER_RE = re.compile("[\x00-\x1F\x7F()<>@,;:\[\]={} \t\\\\\"]")
 METH_RE = re.compile(r"[A-Z0-9$-_.]{3,20}")
@ -41,12 +41,11 @@ class Message(object):
            or self.limit_request_fields > MAX_HEADERS):
            self.limit_request_fields = MAX_HEADERS
        self.limit_request_field_size = cfg.limit_request_field_size
-        if (self.limit_request_field_size < 0
-            or self.limit_request_field_size > MAX_HEADERFIELD_SIZE):
-            self.limit_request_field_size = MAX_HEADERFIELD_SIZE
+        if self.limit_request_field_size < 0:
+            self.limit_request_field_size = DEFAULT_MAX_HEADERFIELD_SIZE

        # set max header buffer size
-        max_header_field_size = self.limit_request_field_size or MAX_HEADERFIELD_SIZE
+        max_header_field_size = self.limit_request_field_size or DEFAULT_MAX_HEADERFIELD_SIZE
        self.max_buffer_headers = self.limit_request_fields * \
            (max_header_field_size + 2) + 4

--- a/tests/requests/invalid/017.http
+++ b/tests/requests/invalid/017.http
--- a/tests/requests/invalid/017.py
+++ b/tests/requests/invalid/017.py
@ -0,0 +1,5 @@
+from gunicorn.config import Config
+from gunicorn.http.errors import LimitRequestHeaders
+
+cfg = Config()
+request = LimitRequestHeaders
--- a/tests/requests/valid/024.py
+++ b/tests/requests/valid/024.py
@ -1,5 +1,4 @@
 from gunicorn.config import Config
-from gunicorn.http.errors import LimitRequestHeaders

 cfg = Config()
 cfg.set('limit_request_line', 0)
--- a/tests/requests/valid/026.http
+++ b/tests/requests/valid/026.http
--- a/tests/requests/valid/026.py
+++ b/tests/requests/valid/026.py