tiny_httpd/tests/unit/dune at ba19880d75608404cb455692cd18eac5808a7c9f - simon/tiny_httpd - Forgejo: Beyond coding. We Forge.

simon/tiny_httpd

mirror of https://github.com/c-cube/tiny_httpd.git synced 2026-03-07 21:37:57 -05:00

Simon Cruanes ba19880d75

github pages / deploy (push) Has been cancelled

Details

build / build (4.13.x, ubuntu-latest) (push) Has been cancelled

Details

build / build (4.14.x, ubuntu-latest) (push) Has been cancelled

Details

build / build (5.03.x, ubuntu-latest) (push) Has been cancelled

Details

hardening bugfixes

* fix: use realpath to validate filesystem paths against traversal

- add string_prefix helper to check path containment
- compute root_canonical once per add_vfs_ call
- use realpath only for filesystem (on_fs=true), keeping simple
  contains_dot_dot check for VFS
- paths are already URL-decoded by Route.rest_of_path_urlencoded

* fix: add header size limits to prevent memory exhaustion

add optional limits to Headers.parse_:
- max_headers: 100 (default)
- max_header_size: 16KiB per header (default)
- max_total_size: 256KiB total (default)

returns 431 status code when limits exceeded per RFC 6585.

2026-02-10 19:57:21 -05:00

4 lines

157 B

Text

Raw Blame History

 (tests
  (names t_util t_buf t_server t_io t_response t_headers)
  (package tiny_httpd)
  (libraries tiny_httpd.core qcheck-core qcheck-core.runner test_util))