From 90d7c7c49b6af90624cca042deb9af38a5e44a2f Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Sun, 6 Mar 2016 02:09:20 +0000
Subject: http: reject excessive headers

HTTP::Parser::XS::PP does not reject excessively large
headers like the XS version.  Ensure we reject headers
over 16K since public-inbox should never need such large
request headers.
---
 lib/PublicInbox/HTTP.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'lib/PublicInbox/HTTP.pm')

diff --git a/lib/PublicInbox/HTTP.pm b/lib/PublicInbox/HTTP.pm
index 6c4c20d7..8988e7d2 100644
--- a/lib/PublicInbox/HTTP.pm
+++ b/lib/PublicInbox/HTTP.pm
@@ -70,7 +70,11 @@ sub rbuf_process {
 
 	# We do not support Trailers in chunked requests, for now
 	# (they are rarely-used and git (as of 2.7.2) does not use them)
-	return quit($self, 400) if $r == -1 || $env{HTTP_TRAILER};
+	if ($r == -1 || $env{HTTP_TRAILER} ||
+			# this length-check is necessary for PURE_PERL=1:
+			($r == -2 && length($self->{rbuf}) > 0x4000)) {
+		return quit($self, 400);
+	}
 	return $self->watch_read(1) if $r < 0; # incomplete
 	$self->{rbuf} = substr($self->{rbuf}, $r);
 
-- 
cgit v1.2.3-24-ge0c7