mirror of
				https://github.com/pocoproject/poco.git
				synced 2025-10-25 02:06:04 +02:00 
			
		
		
		
	fix a potential DoS (through memory exhaustion) by restricting HTML form field name and value sizes
This commit is contained in:
		| @@ -184,11 +184,19 @@ public: | ||||
| 		/// Specify 0 for unlimited (not recommended). | ||||
| 		/// | ||||
| 		/// The default limit is 100. | ||||
| 		 | ||||
| 	void setValueLengthLimit(int limit); | ||||
| 		/// Sets the maximum size for form field values | ||||
| 		/// stored as strings. | ||||
| 		 | ||||
| 	int getValueLengthLimit() const; | ||||
| 		/// Returns the maximum size for form field values | ||||
| 		/// stored as strings. | ||||
|  | ||||
| 	static const std::string ENCODING_URL;       /// "application/x-www-form-urlencoded" | ||||
| 	static const std::string ENCODING_MULTIPART; /// "multipart/form-data" | ||||
|  | ||||
| 	static const int         UNKNOWN_CONTENT_LENGTH; | ||||
| 	 | ||||
| protected: | ||||
| 	void readUrl(std::istream& istr); | ||||
| 	void readMultipart(std::istream& istr, PartHandler& handler); | ||||
| @@ -201,7 +209,9 @@ private: | ||||
|  | ||||
| 	enum Limits | ||||
| 	{ | ||||
| 		DFL_FIELD_LIMIT = 100 | ||||
| 		DFL_FIELD_LIMIT = 100, | ||||
| 		MAX_NAME_LENGTH  = 1024, | ||||
| 		DFL_MAX_VALUE_LENGTH = 256*1024 | ||||
| 	}; | ||||
|  | ||||
| 	struct Part | ||||
| @@ -213,6 +223,7 @@ private: | ||||
| 	typedef std::vector<Part> PartVec; | ||||
| 	 | ||||
| 	int         _fieldLimit; | ||||
| 	int         _valueLengthLimit; | ||||
| 	std::string _encoding; | ||||
| 	std::string _boundary; | ||||
| 	PartVec     _parts; | ||||
| @@ -240,6 +251,12 @@ inline int HTMLForm::getFieldLimit() const | ||||
| } | ||||
|  | ||||
|  | ||||
| inline int HTMLForm::getValueLengthLimit() const | ||||
| { | ||||
| 	return _valueLengthLimit; | ||||
| } | ||||
|  | ||||
|  | ||||
| } } // namespace Poco::Net | ||||
|  | ||||
|  | ||||
|   | ||||
| @@ -73,6 +73,7 @@ private: | ||||
|  | ||||
| HTMLForm::HTMLForm(): | ||||
| 	_fieldLimit(DFL_FIELD_LIMIT), | ||||
| 	_valueLengthLimit(DFL_MAX_VALUE_LENGTH), | ||||
| 	_encoding(ENCODING_URL) | ||||
| { | ||||
| } | ||||
| @@ -80,27 +81,31 @@ HTMLForm::HTMLForm(): | ||||
| 	 | ||||
| HTMLForm::HTMLForm(const std::string& encoding): | ||||
| 	_fieldLimit(DFL_FIELD_LIMIT), | ||||
| 	_valueLengthLimit(DFL_MAX_VALUE_LENGTH), | ||||
| 	_encoding(encoding) | ||||
| { | ||||
| } | ||||
|  | ||||
|  | ||||
| HTMLForm::HTMLForm(const HTTPRequest& request, std::istream& requestBody, PartHandler& handler): | ||||
| 	_fieldLimit(DFL_FIELD_LIMIT) | ||||
| 	_fieldLimit(DFL_FIELD_LIMIT), | ||||
| 	_valueLengthLimit(DFL_MAX_VALUE_LENGTH) | ||||
| { | ||||
| 	load(request, requestBody, handler); | ||||
| } | ||||
|  | ||||
|  | ||||
| HTMLForm::HTMLForm(const HTTPRequest& request, std::istream& requestBody): | ||||
| 	_fieldLimit(DFL_FIELD_LIMIT) | ||||
| 	_fieldLimit(DFL_FIELD_LIMIT), | ||||
| 	_valueLengthLimit(DFL_MAX_VALUE_LENGTH) | ||||
| { | ||||
| 	load(request, requestBody); | ||||
| } | ||||
|  | ||||
|  | ||||
| HTMLForm::HTMLForm(const HTTPRequest& request): | ||||
| 	_fieldLimit(DFL_FIELD_LIMIT) | ||||
| 	_fieldLimit(DFL_FIELD_LIMIT), | ||||
| 	_valueLengthLimit(DFL_MAX_VALUE_LENGTH) | ||||
| { | ||||
| 	load(request); | ||||
| } | ||||
| @@ -300,7 +305,10 @@ void HTMLForm::readUrl(std::istream& istr) | ||||
| 		while (ch != eof && ch != '=' && ch != '&') | ||||
| 		{ | ||||
| 			if (ch == '+') ch = ' '; | ||||
| 			name += (char) ch; | ||||
| 			if (name.size() < MAX_NAME_LENGTH) | ||||
| 				name += (char) ch; | ||||
| 			else | ||||
| 				throw HTMLFormException("Field name too long"); | ||||
| 			ch = istr.get(); | ||||
| 		} | ||||
| 		if (ch == '=') | ||||
| @@ -309,7 +317,10 @@ void HTMLForm::readUrl(std::istream& istr) | ||||
| 			while (ch != eof && ch != '&') | ||||
| 			{ | ||||
| 				if (ch == '+') ch = ' '; | ||||
| 				value += (char) ch; | ||||
| 				if (value.size() < _valueLengthLimit) | ||||
| 					value += (char) ch; | ||||
| 				else | ||||
| 					throw HTMLFormException("Field value too long"); | ||||
| 				ch = istr.get(); | ||||
| 			} | ||||
| 		} | ||||
| @@ -363,7 +374,10 @@ void HTMLForm::readMultipart(std::istream& istr, PartHandler& handler) | ||||
| 			int ch = istr.get(); | ||||
| 			while (ch != eof) | ||||
| 			{ | ||||
| 				value += (char) ch; | ||||
| 				if (value.size() < _valueLengthLimit) | ||||
| 					value += (char) ch; | ||||
| 				else | ||||
| 					throw HTMLFormException("Field value too long"); | ||||
| 				ch = istr.get(); | ||||
| 			} | ||||
| 			add(name, value); | ||||
| @@ -445,4 +459,12 @@ void HTMLForm::setFieldLimit(int limit) | ||||
| } | ||||
|  | ||||
|  | ||||
| void HTMLForm::setValueLengthLimit(int limit) | ||||
| { | ||||
| 	poco_assert (limit >= 0); | ||||
| 	 | ||||
| 	_valueLengthLimit = limit; | ||||
| } | ||||
|  | ||||
|  | ||||
| } } // namespace Poco::Net | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Guenter Obiltschnig
					Guenter Obiltschnig