[core] server.max-request-field-size (fixes #2130)

limits total size per request of request headers submitted by client default limit set to 8k (prior lighttpd <= 1.4.41 hard-coded 64k limit) (similar to Apache directive LimitRequestFieldSize) x-ref: "limits the size of HTTP request header" https://redmine.lighttpd.net/issues/2130
5 years ago · 1018ff9922
4 changed files with 12 additions and 6 deletions
--- a/src/base.h
+++ b/src/base.h
@ -539,6 +539,7 @@ typedef struct {
 	array *modules;
 	array *upload_tempdirs;
 	unsigned int upload_temp_file_size;
+	unsigned int max_request_field_size;

 	unsigned short max_worker;
 	unsigned short max_fds;
--- a/src/configfile.c
+++ b/src/configfile.c
@ -122,6 +122,7 @@ static int config_insert(server *srv) {
 		{ "server.bsd-accept-filter",          NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_CONNECTION }, /* 75 */
 		{ "server.stream-request-body",        NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_CONNECTION }, /* 76 */
 		{ "server.stream-response-body",       NULL, T_CONFIG_SHORT,   T_CONFIG_SCOPE_CONNECTION }, /* 77 */
+		{ "server.max-request-field-size",     NULL, T_CONFIG_INT,     T_CONFIG_SCOPE_SERVER     }, /* 78 */

 		{ NULL,                                NULL, T_CONFIG_UNSET,   T_CONFIG_SCOPE_UNSET      }
 	};
@ -160,6 +161,7 @@ static int config_insert(server *srv) {
 	cv[72].destination = &(srv->srvconf.http_header_strict);
 	cv[73].destination = &(srv->srvconf.http_host_strict);
 	cv[74].destination = &(srv->srvconf.http_host_normalize);
+	cv[78].destination = &(srv->srvconf.max_request_field_size);

 	srv->config_storage = calloc(1, srv->config_context->used * sizeof(specific_config *));

--- a/src/connections.c
+++ b/src/connections.c
@ -911,18 +911,20 @@ found_header_end:
 			}

 			connection_set_state(srv, con, CON_STATE_REQUEST_END);
-		} else if (chunkqueue_length(cq) > 64 * 1024) {
-			log_error_write(srv, __FILE__, __LINE__, "s", "oversized request-header -> sending Status 414");
-
-			con->http_status = 414; /* Request-URI too large */
-			con->keep_alive = 0;
-			connection_set_state(srv, con, CON_STATE_HANDLE_REQUEST);
 		} else if (is_closed) {
 			/* the connection got closed and we didn't got enough data to leave CON_STATE_READ;
 			 * the only way is to leave here */
 			connection_set_state(srv, con, CON_STATE_ERROR);
 		}

+		if ((last_chunk ? buffer_string_length(con->request.request) : (size_t)chunkqueue_length(cq))
+		    > srv->srvconf.max_request_field_size) {
+			log_error_write(srv, __FILE__, __LINE__, "s", "oversized request-header -> sending Status 431");
+			con->http_status = 431; /* Request Header Fields Too Large */
+			con->keep_alive = 0;
+			connection_set_state(srv, con, CON_STATE_HANDLE_REQUEST);
+		}
+
 	chunkqueue_remove_finished_chunks(cq);

 	return 0;
--- a/src/server.c
+++ b/src/server.c
@ -281,6 +281,7 @@ static server *server_init(void) {
 	srv->srvconf.http_host_strict    = 1; /*(implies http_host_normalize)*/
 	srv->srvconf.http_host_normalize = 0;
 	srv->srvconf.high_precision_timestamps = 0;
+	srv->srvconf.max_request_field_size = 8192;

 	/* use syslog */
 	srv->errorlog_fd = STDERR_FILENO;