Merge pull request #191 from reem/max-header-lengths

seanmonstar · seanmonstar · commit 1d7ec47807f3 · 2014-12-11T20:31:44.000-08:00
(fix) Harden header parsing against memory exhaustion attacks.
diff --git a/src/http.rs b/src/http.rs
@@ -486,6 +486,9 @@ pub fn read_http_version<R: Reader>(stream: &mut R) -> HttpResult<HttpVersion> {
     }
 }
 
+const MAX_HEADER_NAME_LENGTH: uint = 100;
+const MAX_HEADER_FIELD_LENGTH: uint = 1000;
+
 /// The raw bytes when parsing a header line.
 ///
 /// A String and Vec<u8>, divided by COLON (`:`). The String is guaranteed
@@ -525,7 +528,10 @@ pub fn read_header<R: Reader>(stream: &mut R) -> HttpResult<Option<RawHeaderLine
                 }
             },
             b':' => break,
-            b if is_token(b) => name.push(b as char),
+            b if is_token(b) => {
+                if name.len() > MAX_HEADER_NAME_LENGTH { return Err(HttpHeaderError); }
+                name.push(b as char)
+            },
             _nontoken => return Err(HttpHeaderError)
         };
     }
@@ -542,6 +548,7 @@ pub fn read_header<R: Reader>(stream: &mut R) -> HttpResult<Option<RawHeaderLine
             b' ' if ows => {},
             b => {
                 ows = false;
+                if value.len() > MAX_HEADER_FIELD_LENGTH { return Err(HttpHeaderError); }
                 value.push(b)
             }
         };

Original file line number	Diff line number	Diff line change
`@@ -486,6 +486,9 @@ pub fn read_http_version<R: Reader>(stream: &mut R) -> HttpResult<HttpVersion> {`
`486`	`486`	`}`
`487`	`487`	`}`
`488`	`488`
	`489`	`+const MAX_HEADER_NAME_LENGTH: uint = 100;`
	`490`	`+const MAX_HEADER_FIELD_LENGTH: uint = 1000;`
	`491`	`+`
`489`	`492`	`/// The raw bytes when parsing a header line.`
`490`	`493`	`///`
`491`	`494`	/// A String and Vec<u8>, divided by COLON (`:`). The String is guaranteed
`@@ -525,7 +528,10 @@ pub fn read_header<R: Reader>(stream: &mut R) -> HttpResult<Option<RawHeaderLine`
`525`	`528`	`}`
`526`	`529`	`},`
`527`	`530`	`b':' => break,`
`528`		`- b if is_token(b) => name.push(b as char),`
	`531`	`+ b if is_token(b) => {`
	`532`	`+ if name.len() > MAX_HEADER_NAME_LENGTH { return Err(HttpHeaderError); }`
	`533`	`+ name.push(b as char)`
	`534`	`+ },`
`529`	`535`	`_nontoken => return Err(HttpHeaderError)`
`530`	`536`	`};`
`531`	`537`	`}`
`@@ -542,6 +548,7 @@ pub fn read_header<R: Reader>(stream: &mut R) -> HttpResult<Option<RawHeaderLine`
`542`	`548`	`b' ' if ows => {},`
`543`	`549`	`b => {`
`544`	`550`	`ows = false;`
	`551`	`+ if value.len() > MAX_HEADER_FIELD_LENGTH { return Err(HttpHeaderError); }`
`545`	`552`	`value.push(b)`
`546`	`553`	`}`
`547`	`554`	`};`