Limit header length

2 files changed, 9 insertions, 1 deletions

diff --git a/lib/net/http/header.rb b/lib/net/http/header.rb
index a8901e79cb..526f2713ee 100644
--- a/lib/net/http/header.rb
+++ b/lib/net/http/header.rb
@@ -9,6 +9,8 @@
 # convenient formats.
 #
 module Net::HTTPHeader
+  MAX_KEY_LENGTH = 1024
+  MAX_FIELD_LENGTH = 65536
 
   def initialize_http_header(initheader)
     @header = {}
@@ -19,6 +21,12 @@ module Net::HTTPHeader
         warn "net/http: nil HTTP header: #{key}", uplevel: 3 if $VERBOSE
       else
         value = value.strip # raise error for invalid byte sequences
+        if key.bytesize > MAX_KEY_LENGTH
+          raise ArgumentError, "too long (#{key.bytesize} bytes) header: #{key[0, 30].inspect}..."
+        end
+        if value.bytesize > MAX_FIELD_LENGTH
+          raise ArgumentError, "header #{key} has too long field vallue: #{value.bytesize}"
+        end
         if value.count("\r\n") > 0
           raise ArgumentError, "header #{key} has field value #{value.inspect}, this cannot include CR/LF"
         end
diff --git a/version.h b/version.h
index bcc562e006..4148199b3a 100644
--- a/version.h
+++ b/version.h
@@ -12,7 +12,7 @@
 # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR
 #define RUBY_VERSION_TEENY 6
 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR
-#define RUBY_PATCHLEVEL 214
+#define RUBY_PATCHLEVEL 215
 
 #define RUBY_RELEASE_YEAR 2023
 #define RUBY_RELEASE_MONTH 3