Skip to content
This repository has been archived by the owner on Jul 13, 2023. It is now read-only.

feat: Limit the size of allowed HTTP bodies & headers #602

Merged
merged 1 commit into from
Aug 16, 2016
Merged

feat: Limit the size of allowed HTTP bodies & headers #602

merged 1 commit into from
Aug 16, 2016

Conversation

jrconlin
Copy link
Member

Limits the amount of data preventing a potential DDoS. This extends much
of what's already in place. Twisted limits TCP read chunks to 65K. It
also already limits the max length of header lines to 16,384 bytes. This
forces connections closed if too much data is attempted to be sent.

NOTE: currently too much data events are not being logged, mostly due
to the fact that errors would lack a good deal useful info.

@pjenvey r?

@codecov-io
Copy link

codecov-io commented Aug 16, 2016
edited
Loading

Current coverage is 100% (diff: 100%)

Merging #602 into master will increase coverage by 0.03%

@@             master   #602   diff @@
======================================
  Files            42     44     +2   
  Lines          8872   8944    +72   
  Methods           0      0          
  Messages          0      0          
  Branches          0      0          
======================================
+ Hits           8869   8944    +75   
+ Misses            3      0     -3   
  Partials          0      0

Powered by Codecov. Last update f48777a...54c4526

@jrconlin
feat: Limit the size of allowed HTTP bodies & headers
54c4526 
Limits the amount of data preventing a potential DDoS. This extends much
of what's already in place. Twisted limits TCP read chunks to 65K. It
also already limits the max length of header lines to 16,384 bytes. This
forces connections closed if too much data is attempted to be sent.

NOTE: currently too much data events are not being logged, mostly due
to the fact that errors would lack a good deal useful info.

Closes #501
pjenvey
pjenvey reviewed Aug 16, 2016
View reviewed changes
autopush/web/limitedhttpconnection.py
rest = ''

self._contentbuffer.write(data)
if self.content_length <= 0:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice bugfix (I noticed this is == 0 in cyclone) =]

@pjenvey
Copy link
Member

pjenvey commented Aug 16, 2016

r+

I'll note (per your comment on #501) you can also override a factory's buildProtocol to pass the protocol values at runtime (like maxData). That requires customizing your own factory, usually subclassing, though, so it's extra work (I'm totally fine with this patch though, we already do this unclean assignment w/ PushServerProtocol in main.py)

@jrconlin jrconlin merged commit 95d6d41 into master Aug 16, 2016
@jrconlin jrconlin deleted the feat/501 branch September 15, 2016 20:26
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@pjenvey pjenvey

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrconlin @codecov-io @pjenvey