From 12ae7ac17e07564c7fc2b3dee103724a26af4b71 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Thu, 18 Aug 2016 14:47:58 +0200
Subject: net.http.parser: Add a limit on content length, default to 10M

---
 net/http/parser.lua | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'net/http')

diff --git a/net/http/parser.lua b/net/http/parser.lua
index af43e7a0..0f764d12 100644
--- a/net/http/parser.lua
+++ b/net/http/parser.lua
@@ -29,6 +29,7 @@ function httpstream.new(success_cb, error_cb, parser_type, options_cb)
 	local client = true;
 	if not parser_type or parser_type == "server" then client = false; else assert(parser_type == "client", "Invalid parser type"); end
 	local buf, buflen, buftable = {}, 0, true;
+	local bodylimit = 10*1024*1024;
 	local chunked, chunk_size, chunk_start;
 	local state = nil;
 	local packet;
@@ -88,6 +89,7 @@ function httpstream.new(success_cb, error_cb, parser_type, options_cb)
 					if not first_line then error = true; return error_cb("invalid-status-line"); end
 					chunked = have_body and headers["transfer-encoding"] == "chunked";
 					len = tonumber(headers["content-length"]); -- TODO check for invalid len
+					if len and len > bodylimit then error = true; return error_cb("content-length-limit-exceeded"); end
 					if client then
 						-- FIXME handle '100 Continue' response (by skipping it)
 						if not have_body then len = 0; end
-- 
cgit v1.2.3