Limit header length

author: NAKAMURA Usaku <usa@ruby-lang.org> 2023-03-30 20:10:01 +0900
committer: NAKAMURA Usaku <usa@ruby-lang.org> 2023-03-30 20:10:01 +0900
commit: 4ec0bac2d9bd29541442709e6c2b62dee688c1ac (patch)
tree: 58f4006fab12d90250c7d2e58b797d68278b6cae /lib/net/http/header.rb
parent: b427e3570d16c7b68cfa0e5e05be84ba8e3eac36 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/net/http/header.rb b/lib/net/http/header.rb
index a8901e79cb..526f2713ee 100644
--- a/lib/net/http/header.rb
+++ b/lib/net/http/header.rb
@@ -9,6 +9,8 @@
 # convenient formats.
 #
 module Net::HTTPHeader
+  MAX_KEY_LENGTH = 1024
+  MAX_FIELD_LENGTH = 65536
 
   def initialize_http_header(initheader)
     @header = {}
@@ -19,6 +21,12 @@ module Net::HTTPHeader
         warn "net/http: nil HTTP header: #{key}", uplevel: 3 if $VERBOSE
       else
         value = value.strip # raise error for invalid byte sequences
+        if key.bytesize > MAX_KEY_LENGTH
+          raise ArgumentError, "too long (#{key.bytesize} bytes) header: #{key[0, 30].inspect}..."
+        end
+        if value.bytesize > MAX_FIELD_LENGTH
+          raise ArgumentError, "header #{key} has too long field vallue: #{value.bytesize}"
+        end
         if value.count("\r\n") > 0
           raise ArgumentError, "header #{key} has field value #{value.inspect}, this cannot include CR/LF"
         end
author	NAKAMURA Usaku <usa@ruby-lang.org>	2023-03-30 20:10:01 +0900
committer	NAKAMURA Usaku <usa@ruby-lang.org>	2023-03-30 20:10:01 +0900
commit	4ec0bac2d9bd29541442709e6c2b62dee688c1ac (patch)
tree	58f4006fab12d90250c7d2e58b797d68278b6cae /lib/net/http/header.rb
parent	b427e3570d16c7b68cfa0e5e05be84ba8e3eac36 (diff)