-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add maxHeadersCount support for http(s)2 server #32388
Comments
Sounds good to me – |
I found |
@LongTengDao Yeah, actually, that’s the same thing. It’s really unfortunate how the naming mismatches – I guess that means adding an alias makes sense here? |
I didn't found that, not only because the name, but also the way to set... one is property of instance, one is in creating options.
I have no idea. Maybe deprecate By the way, via reading the source, I found the effects of // Propagate headers limit from server instance to parser
if (typeof server.maxHeadersCount === 'number') {
parser.maxHeaderPairs = server.maxHeadersCount << 1;
} let n = headers.length;
// If parser.maxHeaderPairs <= 0 assume that there's no limit.
if (parser.maxHeaderPairs > 0)
n = MathMin(n, parser.maxHeaderPairs);
incoming._addHeaderLines(headers, n); and prevent excessive function parserOnHeaders(headers, url) {
// Once we exceeded headers limit - stop collecting them
if (this.maxHeaderPairs <= 0 ||
this._headers.length < this.maxHeaderPairs) {
this._headers = this._headers.concat(headers);
}
this._url += url;
} Does |
@LongTengDao You should read this PR #16676. And use git blame instead of global text search |
I read the source code these days. |
I've done this issue which adds aliases for |
Maybe just add explain in docs will resolve this (if we can't remove one of them, and just reserve anothor)? |
add doc is a good idea |
Fixes: #32388 PR-URL: #33519 Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Zeyu Yang <[email protected]> Reviewed-By: James M Snell <[email protected]>
Fixes: #32388 PR-URL: #33519 Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Zeyu Yang <[email protected]> Reviewed-By: James M Snell <[email protected]>
Fixes: #32388 PR-URL: #33519 Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Zeyu Yang <[email protected]> Reviewed-By: James M Snell <[email protected]>
Fixes: #32388 PR-URL: #33519 Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Zeyu Yang <[email protected]> Reviewed-By: James M Snell <[email protected]>
Fixes: #32388 PR-URL: #33519 Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Zeyu Yang <[email protected]> Reviewed-By: James M Snell <[email protected]>
Is your feature request related to a problem? Please describe.
In http(s)1, user can limit
server.maxHeadersCount
for server, to avoid malicious request (like hash collision attack), because normal headers wont be more than 20 in fact.But in http(s)2, user has no chance to prevent parse that, even if user check
request.rawHeaders.length/2>2000 && response.writeHead(400)
, therequest.headers
already been parsed.Describe the solution you'd like
Add
server.maxHeadersCount
, just like http(s)1 did.Describe alternatives you've considered
The text was updated successfully, but these errors were encountered: