jingrow/gunicorn
1
0
Fork 0
mirror of https://github.com/frappe/gunicorn.git synced 2026-01-14 11:09:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove upper limit on max header size config (#1313)

Browse Source 
Fixes #1306
This commit is contained in:
Tobias Gustafsson 2016-09-17 11:49:05 +02:00 committed by Berker Peksag
parent 2b839ca144
commit 70cfb0d818
7 changed files with 35 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
gunicorn/config.py
View File

@ -793,8 +793,12 @@ class LimitRequestFieldSize(Setting):
desc = """\ desc = """\
Limit the allowed size of an HTTP request header field. Limit the allowed size of an HTTP request header field.
Value is a number from 0 (unlimited) to 8190. to set the limit Value is a positive number or 0. Setting it to 0 will allow unlimited
on the allowed size of an HTTP request header field. header field sizes.
.. warning::
Setting this parameter to a very high or unlimited value can open
up for DDOS attacks.
""" """

9
gunicorn/http/message.py
View File

@ -19,7 +19,7 @@ from gunicorn._compat import urlsplit
MAX_REQUEST_LINE = 8190 MAX_REQUEST_LINE = 8190
MAX_HEADERS = 32768 MAX_HEADERS = 32768
MAX_HEADERFIELD_SIZE = 8190 DEFAULT_MAX_HEADERFIELD_SIZE = 8190
HEADER_RE = re.compile("[\x00-\x1F\x7F()<>@,;:\[\]={} \t\\\\\"]") HEADER_RE = re.compile("[\x00-\x1F\x7F()<>@,;:\[\]={} \t\\\\\"]")
METH_RE = re.compile(r"[A-Z0-9$-_.]{3,20}") METH_RE = re.compile(r"[A-Z0-9$-_.]{3,20}")
@ -41,12 +41,11 @@ class Message(object):
or self.limit_request_fields > MAX_HEADERS): or self.limit_request_fields > MAX_HEADERS):
self.limit_request_fields = MAX_HEADERS self.limit_request_fields = MAX_HEADERS
self.limit_request_field_size = cfg.limit_request_field_size self.limit_request_field_size = cfg.limit_request_field_size
if (self.limit_request_field_size < 0 if self.limit_request_field_size < 0:
or self.limit_request_field_size > MAX_HEADERFIELD_SIZE): self.limit_request_field_size = DEFAULT_MAX_HEADERFIELD_SIZE
self.limit_request_field_size = MAX_HEADERFIELD_SIZE
# set max header buffer size # set max header buffer size
max_header_field_size = self.limit_request_field_size or MAX_HEADERFIELD_SIZE max_header_field_size = self.limit_request_field_size or DEFAULT_MAX_HEADERFIELD_SIZE
self.max_buffer_headers = self.limit_request_fields * \ self.max_buffer_headers = self.limit_request_fields * \
(max_header_field_size + 2) + 4 (max_header_field_size + 2) + 4

3
tests/requests/invalid/017.http Normal file
View File

File diff suppressed because one or more lines are too long

5
tests/requests/invalid/017.py Normal file
View File

@ -0,0 +1,5 @@
from gunicorn.config import Config
from gunicorn.http.errors import LimitRequestHeaders
cfg = Config()
request = LimitRequestHeaders

1
tests/requests/valid/024.py
View File

@ -1,5 +1,4 @@
from gunicorn.config import Config from gunicorn.config import Config
from gunicorn.http.errors import LimitRequestHeaders
cfg = Config() cfg = Config()
cfg.set('limit_request_line', 0) cfg.set('limit_request_line', 0)

3
tests/requests/valid/026.http Normal file
View File

File diff suppressed because one or more lines are too long

14
tests/requests/valid/026.py Normal file
View File

File diff suppressed because one or more lines are too long