[Twisted-Python] Limit headers by size and not by number in twisted.web
Hi, I have checked twisted.web.http.HTTPChannel and I see that it limits the headers by number and not by size. https://github.com/twisted/twisted/blob/trunk/twisted/web/http.py#L1596 Maybe I don't see the big picture, but wouldn't this allow the server to load in memory a request with a single header of 1G ? Other than changing the HTTPChannel.lineReceived() implementation, is there a way to limit header size? I did a quick test and the server accepted an 1M cookie value without any problem. curl --cookie cookies.txt http://localhost:8080 cookies.txt in in this format https://gist.github.com/adiroiban/8557725 It this a feature or a bug? Many thanks! -- Adi Roiban
Hi Adi, I'm assuming this is somewhat related to http://homakov.blogspot.be/2014/01/cookie-bomb-or-lets-break-internet.html:) I don't know of any mechanisms to limit cookie size. It's probably a good feature to have, and perhaps even enable by default. cheers lvh
Thanks! This is somehow related to ticket https://twistedmatrix.com/trac/ticket/288 , where things are complicated. I am worried about malicious HTTP clients sending huge data which ends in memory. My previous example is bad since curl will truncate cookies at 8K. I checked the code deep and twisted.protocols.basic.LineRecever has a default line size of 16384. Together with the default headers count, this gives a default limit of about 7.8MB. I have created a ticket and we can continue there: https://twistedmatrix.com/trac/ticket/6927 Thanks! On 22 January 2014 14:48, Laurens Van Houtven <_@lvh.io> wrote:
Hi Adi,
I'm assuming this is somewhat related to http://homakov.blogspot.be/2014/01/cookie-bomb-or-lets-break-internet.html:)
I don't know of any mechanisms to limit cookie size. It's probably a good feature to have, and perhaps even enable by default.
cheers lvh
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
-- Adi Roiban
participants (2)
-
Adi Roiban -
Laurens Van Houtven