httpd: uri length
Larry Doolittle
ldoolitt at recycle.lbl.gov
Mon Sep 5 06:15:23 UTC 2005
Rob et al. -
On Sun, Sep 04, 2005 at 10:58:37PM -0500, Rob Landley wrote:
> On Sunday 04 September 2005 06:40, Dirk Clemens wrote:
> > Should we set an maximum allowed URI length?
>
> I think malloc and free in the wrapper is better than limiting the URI length.
> We already read in an arbitrary length in the first place, right?
>
> I dunno about protecting against denial of service attacks that force an out
> of memory condition with a 10 megabyte URL, but if we'd be putting in the
> limit for the sake of alloca(), that isn't a good trade-off to me...
Boa (another web server) takes DOS attacks very seriously.
It sets hard limits (compile time constants) on total request
length, and a few other important buffer sizes. Specifically:
#define CLIENT_STREAM_SIZE 8192
#define BUFFER_SIZE 4096
#define MAX_HEADER_LENGTH 1024
Unlike the web standards committees, I consider these hard limits
a feature, not a bug.
In the last decade of Boa support, I have only received a single
e-mail describing a case where these limits caused problems.
Doubling them then made the problem go away, although there
was something very snarky about the web proxy setup that was
the ultimate origin of that user's problem.
- Larry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.busybox.net/pipermail/busybox/attachments/20050904/5154b6f1/attachment-0002.pgp
More information about the busybox
mailing list