1 files changed, 26 insertions, 10 deletions

diff --git a/lib/net/http/header.rb b/lib/net/http/header.rb
index 1425b6b329..5dcdcc7d74 100644
--- a/lib/net/http/header.rb
+++ b/lib/net/http/header.rb
@@ -1,4 +1,4 @@
-# frozen_string_literal: false
+# frozen_string_literal: true
 #
 # The \HTTPHeader module provides access to \HTTP headers.
 #
@@ -179,6 +179,10 @@
 # - #each_value: Passes each string field value to the block.
 #
 module Net::HTTPHeader
+  # The maximum length of HTTP header keys.
+  MAX_KEY_LENGTH = 1024
+  # The maximum length of HTTP header values.
+  MAX_FIELD_LENGTH = 65536
 
   def initialize_http_header(initheader) #:nodoc:
     @header = {}
@@ -189,6 +193,12 @@ module Net::HTTPHeader
         warn "net/http: nil HTTP header: #{key}", uplevel: 3 if $VERBOSE
       else
         value = value.strip # raise error for invalid byte sequences
+        if key.to_s.bytesize > MAX_KEY_LENGTH
+          raise ArgumentError, "too long (#{key.bytesize} bytes) header: #{key[0, 30].inspect}..."
+        end
+        if value.to_s.bytesize > MAX_FIELD_LENGTH
+          raise ArgumentError, "header #{key} has too long field value: #{value.bytesize}"
+        end
         if value.count("\r\n") > 0
           raise ArgumentError, "header #{key} has field value #{value.inspect}, this cannot include CR/LF"
         end
@@ -259,6 +269,7 @@ module Net::HTTPHeader
     end
   end
 
+  # :stopdoc:
   private def set_field(key, val)
     case val
     when Enumerable
@@ -286,6 +297,7 @@ module Net::HTTPHeader
       ary.push val
     end
   end
+  # :startdoc:
 
   # Returns the array field value for the given +key+,
   # or +nil+ if there is no such field;
@@ -482,8 +494,8 @@ module Net::HTTPHeader
 
   alias canonical_each each_capitalized
 
-  def capitalize(name)
-    name.to_s.split(/-/).map {|s| s.capitalize }.join('-')
+  def capitalize(name)  # :nodoc:
+    name.to_s.split('-'.freeze).map {|s| s.capitalize }.join('-'.freeze)
   end
   private :capitalize
 
@@ -691,10 +703,14 @@ module Net::HTTPHeader
   #   res.content_type    # => "application/json"
   #
   def content_type
-    return nil unless main_type()
-    if sub_type()
-    then "#{main_type()}/#{sub_type()}"
-    else main_type()
+    main = main_type()
+    return nil unless main
+
+    sub = sub_type()
+    if sub
+      "#{main}/#{sub}"
+    else
+      main
     end
   end
 
@@ -945,12 +961,12 @@ module Net::HTTPHeader
     @header['proxy-authorization'] = [basic_encode(account, password)]
   end
 
-  def basic_encode(account, password)
+  def basic_encode(account, password)   # :nodoc:
     'Basic ' + ["#{account}:#{password}"].pack('m0')
   end
   private :basic_encode
 
-# Returns whether the HTTP session is to be closed.
+  # Returns whether the HTTP session is to be closed.
   def connection_close?
     token = /(?:\A|,)\s*close\s*(?:\z|,)/i
     @header['connection']&.grep(token) {return true}
@@ -958,7 +974,7 @@ module Net::HTTPHeader
     false
   end
 
-# Returns whether the HTTP session is to be kept alive.
+  # Returns whether the HTTP session is to be kept alive.
   def connection_keep_alive?
     token = /(?:\A|,)\s*keep-alive\s*(?:\z|,)/i
     @header['connection']&.grep(token) {return true}