From 4ec0bac2d9bd29541442709e6c2b62dee688c1ac Mon Sep 17 00:00:00 2001 From: NAKAMURA Usaku Date: Thu, 30 Mar 2023 20:10:01 +0900 Subject: Limit header length --- lib/net/http/header.rb | 8 ++++++++ version.h | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/net/http/header.rb b/lib/net/http/header.rb index a8901e79cb..526f2713ee 100644 --- a/lib/net/http/header.rb +++ b/lib/net/http/header.rb @@ -9,6 +9,8 @@ # convenient formats. # module Net::HTTPHeader + MAX_KEY_LENGTH = 1024 + MAX_FIELD_LENGTH = 65536 def initialize_http_header(initheader) @header = {} @@ -19,6 +21,12 @@ module Net::HTTPHeader warn "net/http: nil HTTP header: #{key}", uplevel: 3 if $VERBOSE else value = value.strip # raise error for invalid byte sequences + if key.bytesize > MAX_KEY_LENGTH + raise ArgumentError, "too long (#{key.bytesize} bytes) header: #{key[0, 30].inspect}..." + end + if value.bytesize > MAX_FIELD_LENGTH + raise ArgumentError, "header #{key} has too long field vallue: #{value.bytesize}" + end if value.count("\r\n") > 0 raise ArgumentError, "header #{key} has field value #{value.inspect}, this cannot include CR/LF" end diff --git a/version.h b/version.h index bcc562e006..4148199b3a 100644 --- a/version.h +++ b/version.h @@ -12,7 +12,7 @@ # define RUBY_VERSION_MINOR RUBY_API_VERSION_MINOR #define RUBY_VERSION_TEENY 6 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR -#define RUBY_PATCHLEVEL 214 +#define RUBY_PATCHLEVEL 215 #define RUBY_RELEASE_YEAR 2023 #define RUBY_RELEASE_MONTH 3 -- cgit v1.2.3