mirror of
https://github.com/c-cube/tiny_httpd.git
synced 2026-03-07 21:37:57 -05:00
ba19880d75
* fix: use realpath to validate filesystem paths against traversal - add string_prefix helper to check path containment - compute root_canonical once per add_vfs_ call - use realpath only for filesystem (on_fs=true), keeping simple contains_dot_dot check for VFS - paths are already URL-decoded by Route.rest_of_path_urlencoded * fix: add header size limits to prevent memory exhaustion add optional limits to Headers.parse_: - max_headers: 100 (default) - max_header_size: 16KiB per header (default) - max_total_size: 256KiB total (default) returns 431 status code when limits exceeded per RFC 6585.
23 lines
707 B
OCaml
23 lines
707 B
OCaml
open Tiny_httpd_core
|
|
|
|
(* Test that header size limits are enforced *)
|
|
let test_header_too_large () =
|
|
(* Create a header that's larger than 16KB *)
|
|
let large_value = String.make 20000 'x' in
|
|
let q =
|
|
"GET / HTTP/1.1\r\nHost: example.com\r\nX-Large: " ^ large_value
|
|
^ "\r\n\r\n"
|
|
in
|
|
let str = IO.Input.of_string q in
|
|
let client_addr = Unix.(ADDR_INET (inet_addr_loopback, 1024)) in
|
|
let buf = Buf.create () in
|
|
try
|
|
let _ =
|
|
Request.Private_.parse_req_start_exn ~client_addr ~buf
|
|
~get_time_s:(fun _ -> 0.)
|
|
str
|
|
in
|
|
failwith "should have failed with 431"
|
|
with Tiny_httpd_core.Response.Bad_req (431, _) -> () (* expected *)
|
|
|
|
let () = test_header_too_large ()
|