Project

General

Profile

Actions
Copy link

Bug #20247

closed

net/http/header limits are too low

Added by dpsi (Darien Imai) 3 months ago. Updated 3 months ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.3.0 (2023-12-25 revision 5124f9ac75) +YJIT [x86_64-linux]
Backport:
3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
[ruby-core:116631]

Description

Hello, some of my HTTP tests are failing on Ruby 3.3 due to ArgumentError too long. I am trying to update from Ruby 2.7. I did not see any mention of this change in the net/http changelog, but looking at git history, the limit was added between gem versions 0.3.2 and 0.4.0. https://github.com/ruby/ruby/commit/d8b8294c28a09278de357c26b291abf1b9f3cc5d

I send HTTP requests with long header keys in my testing suite. Many webservers such as apache, nginx, IIS permit the total length of HTTP headers to be 8K or longer. Tomcat for example allows 48K. I am trying to send a request with a header key length of 24K. I think the limit of 1K is too low.

There was not a clear reason for the change, so I request that it gets reverted.
Alternatively the limit could be configurable.

The code being affected by the limit was written for Ruby 1.8, so I am surprised such longstanding behaviour was removed without being listed in the changelog.

Actions
Copy link
 #1 [ruby-core:116632]

Updated by austin (Austin Ziegler) 3 months ago

This should be reported upstream: https://github.com/ruby/net-http and can be found at https://github.com/ruby/net-http/commit/c245f7f9c845f1e7534b4e50b69e94ca9d083ca7.

Based on my reading (https://www.geekersdigest.com/max-http-request-header-size-server-comparison/ was useful), I do not believe that there should be a separate limit (key 1024 + 65536 value), but that if a limit is to be enforced, it should:

  1. Be based on the combined length key.bytesize + value.bytesize > OVERALL_LIMIT
  2. Be configurable
  3. Optionally be as generous as the Golang (1Mib) for the default value.
Actions
Copy link
 #2 [ruby-core:116633]

Updated by dpsi (Darien Imai) 3 months ago

The upstream repo didn't have info for bug reports in the README, so I looked at the main ruby/ruby instructions instead.
I have filed the same issue with upstream: https://github.com/ruby/net-http/issues/173

Actions
Copy link
 #3 [ruby-core:116750]

Updated by mame (Yusuke Endoh) 3 months ago

  • Status changed from Open to Closed

Discussed at the dev meeting.

This header length limit was introduced to enhance security. Accepting unlimitedly long headers may lead to DoS in some cases. Therefore, we have no plan to revert this limit and are cautious about making it configurable.

If there are many such use cases, it may be considered. But for the time being, please redefine Net::HTTPHeader::MAX_KEY_LENGTH, etc.

(BTW, there is currently no limit on the total number of headers, but we may limit it too.)

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0