Improve http_body_max directive a bit.

Allow setting it to 0 which will disable HTTP requests that have a body (POST/PUT). Reduce default http_body_max to 1MB by default, 10MB seems large. Revisit to this code inspired by #100.
2025-03-09 04:29:02 -04:00 · 2016-01-08 17:54:40 +01:00 · 2016-01-08 17:54:40 +01:00 · 0647901ef5
commit 0647901ef5
parent 0c47574fe9
5 changed files with 14 additions and 7 deletions
--- a/conf/kore.conf.example
+++ b/conf/kore.conf.example
@ -59,7 +59,8 @@ workers		4
 #	http_header_max		Maximum size of HTTP headers (in bytes).
 #
 #	http_body_max		Maximum size of an HTTP body (in bytes).
-#
+#				If set to 0 disallows requests with a body
+#				all together.
 #	http_keepalive_time	Maximum seconds an HTTP connection can be
 #				kept alive by the browser.
 #				(Set to 0 to disable keepalive completely).
@ -71,7 +72,7 @@ workers		4
 #	http_request_limit	Limit the number of requests Kore processes
 #				in a single event loop.
 #http_header_max	4096
-#http_body_max		10240000
+#http_body_max		1024000
 #http_keepalive_time	0
 #http_hsts_enable	31536000
 #http_request_limit	1000
--- a/includes/http.h
+++ b/includes/http.h
@ -26,7 +26,7 @@ extern "C" {
 #define HTTP_KEEPALIVE_TIME	20
 #define HTTP_HSTS_ENABLE	31536000
 #define HTTP_HEADER_MAX_LEN	4096
-#define HTTP_BODY_MAX_LEN	10240000
+#define HTTP_BODY_MAX_LEN	1024000
 #define HTTP_URI_LEN		2000
 #define HTTP_USERAGENT_LEN	256
 #define HTTP_REQ_HEADER_MAX	25
--- a/includes/kore.h
+++ b/includes/kore.h
@ -73,11 +73,11 @@ extern int daemon(int, int);
 #define KORE_DEFAULT_CIPHER_LIST	"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kRSA:!kDSA"

 #if defined(KORE_DEBUG)
-#define kore_debug(fmt, ...)	\
+#define kore_debug(...)		\
 	if (kore_debug)		\
-		kore_debug_internal(__FILE__, __LINE__, fmt, ##__VA_ARGS__)
+		kore_debug_internal(__FILE__, __LINE__, ##__VA_ARGS__)
 #else
-#define kore_debug(fmt, ...)
+#define kore_debug(...)
 #endif

 #define NETBUF_RECV			0
--- a/src/config.c
+++ b/src/config.c
@ -536,7 +536,7 @@ configure_http_body_max(char **argv)
 		return (KORE_RESULT_ERROR);
 	}

-	http_body_max = kore_strtonum(argv[1], 10, 1, LONG_MAX, &err);
+	http_body_max = kore_strtonum(argv[1], 10, 0, LONG_MAX, &err);
 	if (err != KORE_RESULT_OK) {
 		printf("bad http_body_max value: %s\n", argv[1]);
 		return (KORE_RESULT_ERROR);
--- a/src/http.c
+++ b/src/http.c
@ -591,6 +591,12 @@ http_header_recv(struct netbuf *nb)
 	}

 	if (req->flags & HTTP_REQUEST_EXPECT_BODY) {
+		if (http_body_max == 0) {
+			req->flags |= HTTP_REQUEST_DELETE;
+			http_error_response(req->owner, 405);
+			return (KORE_RESULT_OK);
+		}
+
 		if (!http_request_header(req, "content-length", &p)) {
 			kore_debug("expected body but no content-length");
 			req->flags |= HTTP_REQUEST_DELETE;