This is mostly a "do not allow infinity headers" limit in the sense
of "it's good to have limits". With modern browsers and users behind
proxies we may actually get over 30 headers, so increase it for now
to 64 - hopefully enough for another decade ;)
Signed-off-by: Thomas Lamprecht <t.lampre...@proxmox.com>
Reported-by: Victor Hooi <victorh...@yahoo.com>
---
PVE/APIServer/AnyEvent.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index efb8168..c55da7f 100644
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -46,7 +46,7 @@ use HTTP::Response;
use Data::Dumper;
use JSON;
-my $limit_max_headers = 30;
+my $limit_max_headers = 64;
my $limit_max_header_size = 8*1024;
my $limit_max_post = 64*1024;
@@ -1184,7 +1184,7 @@ sub unshift_read_header {
eval {
# print "$$: got header: $line\n" if $self->{debug};
- die "to many http header lines\n" if ++$state->{count} >=
$limit_max_headers;
+ die "too many http header lines (> $limit_max_headers)\n" if
++$state->{count} >= $limit_max_headers;
die "http header too large\n" if ($state->{size} += length($line))
>= $limit_max_header_size;
my $r = $reqstate->{request};
--
2.20.1
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
