diff options
| author | nagachika <nagachika@ruby-lang.org> | 2023-12-09 16:50:08 +0900 |
|---|---|---|
| committer | nagachika <nagachika@ruby-lang.org> | 2023-12-09 16:50:08 +0900 |
| commit | f1097813a30ced07b324daa9699f07dba3b202fa (patch) | |
| tree | 70560866cc074a04d4379015c3daa77caae35a77 | |
| parent | 4797127258f26ebac18d23c5715dde36b8a1b1ef (diff) | |
merge revision(s) d8b8294c28a09278de357c26b291abf1b9f3cc5d,eedcd696a57521a18963d58487db8057a374a67a,bc0a7a641b6d0d3ff979cfa11e25683f8fa59ebd:
[ruby/net-http] Limit header length
https://github.com/ruby/net-http/commit/c245f7f9c8
---
lib/net/http/header.rb | 8 ++++++++
1 file changed, 8 insertions(+)
[ruby/net-http] Fix previous commit
https://github.com/ruby/net-http/commit/1b276e2654
---
lib/net/http/header.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[ruby/net-http] typofix
https://github.com/ruby/net-http/commit/4d31bde125
---
lib/net/http/header.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
| -rw-r--r-- | lib/net/http/header.rb | 8 | ||||
| -rw-r--r-- | version.h | 2 |
2 files changed, 9 insertions, 1 deletions
diff --git a/lib/net/http/header.rb b/lib/net/http/header.rb index 40c119a353..3c061abb83 100644 --- a/lib/net/http/header.rb +++ b/lib/net/http/header.rb @@ -179,6 +179,8 @@ # - #each_value: Passes each string field value to the block. # module Net::HTTPHeader + MAX_KEY_LENGTH = 1024 + MAX_FIELD_LENGTH = 65536 def initialize_http_header(initheader) #:nodoc: @header = {} @@ -189,6 +191,12 @@ module Net::HTTPHeader warn "net/http: nil HTTP header: #{key}", uplevel: 3 if $VERBOSE else value = value.strip # raise error for invalid byte sequences + if key.to_s.bytesize > MAX_KEY_LENGTH + raise ArgumentError, "too long (#{key.bytesize} bytes) header: #{key[0, 30].inspect}..." + end + if value.to_s.bytesize > MAX_FIELD_LENGTH + raise ArgumentError, "header #{key} has too long field value: #{value.bytesize}" + end if value.count("\r\n") > 0 raise ArgumentError, "header #{key} has field value #{value.inspect}, this cannot include CR/LF" end @@ -11,7 +11,7 @@ # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR #define RUBY_VERSION_TEENY 2 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR -#define RUBY_PATCHLEVEL 136 +#define RUBY_PATCHLEVEL 137 #include "ruby/version.h" #include "ruby/internal/abi.h" |