Hello, On Wed, Oct 18, 2023 at 11:31:30AM -0700, Jerry Scharf (he/him/his) wrote: > We use haproxy for https termination for one of our services. We are trying > to upgrade to late model haproxy, but have run into a problem. In old > haproxy versions, it allowed 1k header names and we told our customers > that.
Ouch! The joys of announcing technical limits to customers instead of acceptable ones :-/ > In modern versions, it is checked and limited to 254. Possibly, I would have said something between 64 and 255. > I saw that this check was in response to a CVE. If I understand the issue, > it was that it was only 255 that produced the problem, not all lengths > beyond 255. Is this a correct assessment? I don't have any such memories, if you had a link to the commit in question I could possibly confirm based on the info there. But anyway at such lengths, 254 or 255 are both considered totally unreasonable. > Are there any ways around this that I haven't found? No, definitely not at all. From what I'm seeing in the API's doc the name's length is represented on 8 bits (255 max) and the value length on 24 bits (16 MB max), and both sizes fit into a combined 32-bit block. > I will need to take this to the folks that own the product requirements and > I want to give them the right information. Got it! You can tell them that this has been in effect since 1.9 (via an opt-in), 2.0 (via an opt-out) and 2.1 definitive. In short, all currently maintained versions use the same representation. Hoping this helps, Willy
