aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2016-08-18 14:47:58 +0200
committerKim Alvefur <zash@zash.se>2016-08-18 14:47:58 +0200
commit72573b8d101668e946bc7aedd6cfdf90acf18663 (patch)
tree7253adc449646597e04b84c4b55fea480cd3ce6e /net
parent8daf86767cc381f059402ba9ba334638345bec48 (diff)
downloadprosody-72573b8d101668e946bc7aedd6cfdf90acf18663.tar.gz
prosody-72573b8d101668e946bc7aedd6cfdf90acf18663.zip
net.http.parser: Add a limit on content length, default to 10M
Diffstat (limited to 'net')
-rw-r--r--net/http/parser.lua2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/http/parser.lua b/net/http/parser.lua
index af43e7a0..0f764d12 100644
--- a/net/http/parser.lua
+++ b/net/http/parser.lua
@@ -29,6 +29,7 @@ function httpstream.new(success_cb, error_cb, parser_type, options_cb)
local client = true;
if not parser_type or parser_type == "server" then client = false; else assert(parser_type == "client", "Invalid parser type"); end
local buf, buflen, buftable = {}, 0, true;
+ local bodylimit = 10*1024*1024;
local chunked, chunk_size, chunk_start;
local state = nil;
local packet;
@@ -88,6 +89,7 @@ function httpstream.new(success_cb, error_cb, parser_type, options_cb)
if not first_line then error = true; return error_cb("invalid-status-line"); end
chunked = have_body and headers["transfer-encoding"] == "chunked";
len = tonumber(headers["content-length"]); -- TODO check for invalid len
+ if len and len > bodylimit then error = true; return error_cb("content-length-limit-exceeded"); end
if client then
-- FIXME handle '100 Continue' response (by skipping it)
if not have_body then len = 0; end