[ruby/net-http] Limit header length

https://github.com/ruby/net-http/commit/c245f7f9c8
author: NAKAMURA Usaku <[email protected]> 2023-03-30 20:10:01 +0900
committer: git <[email protected]> 2023-03-31 03:22:40 +0000
commit: d8b8294c28a09278de357c26b291abf1b9f3cc5d (patch)
tree: 2740266f2c27b1760684a544c86f68225883502c /lib/net/http
parent: 2093e4c2db1e19991e601bf5191eddb4652de35d (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/net/http/header.rb b/lib/net/http/header.rb
index 1425b6b329..324a9538b4 100644
--- a/lib/net/http/header.rb
+++ b/lib/net/http/header.rb
@@ -179,6 +179,8 @@
 # - #each_value: Passes each string field value to the block.
 #
 module Net::HTTPHeader
+  MAX_KEY_LENGTH = 1024
+  MAX_FIELD_LENGTH = 65536
 
   def initialize_http_header(initheader) #:nodoc:
     @header = {}
@@ -189,6 +191,12 @@ module Net::HTTPHeader
         warn "net/http: nil HTTP header: #{key}", uplevel: 3 if $VERBOSE
       else
         value = value.strip # raise error for invalid byte sequences
+        if key.bytesize > MAX_KEY_LENGTH
+          raise ArgumentError, "too long (#{key.bytesize} bytes) header: #{key[0, 30].inspect}..."
+        end
+        if value.bytesize > MAX_FIELD_LENGTH
+          raise ArgumentError, "header #{key} has too long field vallue: #{value.bytesize}"
+        end
         if value.count("\r\n") > 0
           raise ArgumentError, "header #{key} has field value #{value.inspect}, this cannot include CR/LF"
         end
author	NAKAMURA Usaku <[email protected]>	2023-03-30 20:10:01 +0900
committer	git <[email protected]>	2023-03-31 03:22:40 +0000
commit	d8b8294c28a09278de357c26b291abf1b9f3cc5d (patch)
tree	2740266f2c27b1760684a544c86f68225883502c /lib/net/http
parent	2093e4c2db1e19991e601bf5191eddb4652de35d (diff)