max content length for POST requests can be modified at runtime

Author: alor

README

@@ -19,7 +19,12 @@
 
      def post_init
        super
-       no_environment_strings
+
+       # faster if you don't need evironment variables (CGI methods)
+       self.no_environment_strings
+
+       # max length of the POST content
+       self.max_content_length = 10_000_000
      end
 
     def process_http_request

Rakefile

@@ -20,7 +20,8 @@ namespace :build do
   end
   CLEAN.include('ext/Makefile')
   CLEAN.include('ext/*.log')
-  
+  CLEAN.include('ext/*.o')
+
   libfile = "ext/eventmachine_httpserver.#{Config::CONFIG['DLEXT']}"
   file libfile => ['ext/Makefile', *sources] do
     Dir.chdir 'ext' do

ext/http.cpp

@@ -75,6 +75,10 @@ HttpConnection_t::HttpConnection_t()
 	// instead of buffering it here. To get the latter behavior, user code must call
 	// dont_accumulate_post.
 	bAccumulatePost = true;
+
+	// By default this limit is initialized to 20 MiB, it could be changed at runtime
+	// by the user if needed
+	ContentLengthLimit = MaxContentLength;
 }
 
 
@@ -140,6 +144,20 @@ void HttpConnection_t::ReceivePostData (const char *data, int len)
 	cerr << "UNIMPLEMENTED ReceivePostData" << endl;
 }
 
+/*********************************
+HttpConnection_t::Get/SetMaxContentLength
+*********************************/
+
+int HttpConnection_t::GetMaxContentLength ()
+{
+	return ContentLengthLimit;
+}
+
+void HttpConnection_t::SetMaxContentLength (int len)
+{
+	ContentLengthLimit = len;
+}
+
 /*****************************
 HttpConnection_t::ConsumeData
 *****************************/
@@ -254,7 +272,7 @@ void HttpConnection_t::ConsumeData (const char *data, int length)
 			}
 			else {
 				const char *nl = strpbrk (data, "\r\n");
-				int len = nl ? (nl - data) : length;
+				int len = nl ? (int)(nl - data) : length;
 				if ((size_t)(HeaderLinePos + len) >= sizeof(HeaderLine)) {
 					// TODO, log this
 					goto fail_connection;
@@ -358,17 +376,17 @@ bool HttpConnection_t::_InterpretHeaderLine (const char *header)
 		if (bContentLengthSeen) {
 			// TODO, log this. There are some attacks that depend
 			// on sending more than one content-length header.
-			_SendError (406);
+			_SendError (400, "Bad Request");
 			return false;
 		}
 		bContentLengthSeen = true;
 		const char *s = header + 15;
 		while (*s && ((*s==' ') || (*s=='\t')))
 			s++;
 		ContentLength = atoi (s);
-		if (ContentLength > MaxContentLength) {
+		if (ContentLength > ContentLengthLimit) {
 			// TODO, log this.
-			_SendError (406);
+			_SendError (413, "Request Entity Too Large");
 			return false;
 		}
 	}
@@ -400,7 +418,7 @@ bool HttpConnection_t::_InterpretHeaderLine (const char *header)
 
 	// Copy the incoming header into a block
 	if ((HeaderBlockPos + strlen(header) + 1) < HeaderBlockSize) {
-		int len = strlen(header);
+		int len = (int)strlen(header);
 		memcpy (HeaderBlock+HeaderBlockPos, header, len);
 		HeaderBlockPos += len;
 		HeaderBlock [HeaderBlockPos++] = 0;
@@ -439,26 +457,27 @@ bool HttpConnection_t::_InterpretRequest (const char *header)
 
 	const char *blank = strchr (header, ' ');
 	if (!blank) {
-		_SendError (406);
+		_SendError (400, "Bad Request");
 		return false;
 	}
 
-	if (!_DetectVerbAndSetEnvString (header, blank - header))
+	if (!_DetectVerbAndSetEnvString (header, (int)(blank - header)))
 		return false;
 
 	blank++;
 	if (*blank != '/') {
-		_SendError (406);
+		_SendError (400, "Bad Request");
 		return false;
 	}
 
 	const char *blank2 = strchr (blank, ' ');
 	if (!blank2) {
-		_SendError (406);
+		_SendError (400, "Bad Request");
 		return false;
 	}
+
 	if (strcasecmp (blank2 + 1, "HTTP/1.0") && strcasecmp (blank2 + 1, "HTTP/1.1")) {
-		_SendError (505);
+		_SendError (505, "HTTP Version Not Supported");
 		return false;
 	}
 
@@ -573,13 +592,18 @@ HttpConnection_t::_SendError
 ****************************/
 
 void HttpConnection_t::_SendError (int code)
+{
+    _SendError(code, "...");
+}
+
+void HttpConnection_t::_SendError (int code, const char *desc)
 {
 	stringstream ss;
-	ss << "HTTP/1.1 " << code << " ...\r\n";
+	ss << "HTTP/1.1 " << code << " " << desc << "\r\n";
 	ss << "Connection: close\r\n";
 	ss << "Content-type: text/plain\r\n";
 	ss << "\r\n";
 	ss << "Detected error: HTTP code " << code;
 
-	SendData (ss.str().c_str(), ss.str().length());
-}
+	SendData (ss.str().c_str(), (int)ss.str().length());
+}

ext/http.h

@@ -58,6 +58,8 @@ class HttpConnection_t
 		virtual void ReceivePostData(const char *data, int len);
 		virtual void SetNoEnvironmentStrings() {bSetEnvironmentStrings = false;}
 		virtual void SetDontAccumulatePost() {bAccumulatePost = false;}
+		virtual int GetMaxContentLength();
+		virtual void SetMaxContentLength(int len);
 
   private:
 
@@ -85,6 +87,7 @@ class HttpConnection_t
 		int HeaderBlockPos;
 
 		int ContentLength;
+		int ContentLengthLimit;
 		int ContentPos;
 		char *_Content;
 
@@ -107,6 +110,7 @@ class HttpConnection_t
 		bool _InterpretRequest (const char*);
 		bool _DetectVerbAndSetEnvString (const char*, int);
 		void _SendError (int);
+		void _SendError (int, const char*);
 };
 
 #endif // __HttpPersonality__H_

ext/rubyhttp.cpp

@@ -258,6 +258,33 @@ static VALUE t_dont_accumulate_post (VALUE self)
 	return Qnil;
 }
 
+/**********************
+t_get_max_content_length
+**********************/
+
+static VALUE t_get_max_content_length (VALUE self)
+{
+	RubyHttpConnection_t *hc = (RubyHttpConnection_t*)(NUM2LONG (rb_ivar_get (self, Intern_http_conn)));
+	if (hc)
+		return INT2FIX (hc->GetMaxContentLength());
+		
+	return Qnil;
+}
+
+/**********************
+t_set_max_content_length
+**********************/
+
+static VALUE t_set_max_content_length (VALUE self, VALUE data)
+{
+	RubyHttpConnection_t *hc = (RubyHttpConnection_t*)(NUM2LONG (rb_ivar_get (self, Intern_http_conn)));
+	if (hc) {
+		hc->SetMaxContentLength(FIX2INT(data));
+		return INT2FIX (hc->GetMaxContentLength());
+    }
+    
+	return Qnil;
+}
 
 /****************************
 Init_eventmachine_httpserver
@@ -276,4 +303,6 @@ extern "C" void Init_eventmachine_httpserver()
 	rb_define_method (HttpServer, "process_http_request", (VALUE(*)(...))t_process_http_request, 0);
 	rb_define_method (HttpServer, "no_environment_strings", (VALUE(*)(...))t_no_environment_strings, 0);
 	rb_define_method (HttpServer, "dont_accumulate_post", (VALUE(*)(...))t_dont_accumulate_post, 0);
+	rb_define_method (HttpServer, "max_content_length", (VALUE(*)(...))t_get_max_content_length, 0);
+    rb_define_method (HttpServer, "max_content_length=", (VALUE(*)(...))t_set_max_content_length, 1);
 }