httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Bannert <>
Subject Re: don't try this at home
Date Wed, 29 May 2002 14:48:51 GMT
On Wed, May 29, 2002 at 02:47:35PM +0200, Martin Kraemer wrote:
> But IMO we need to have a way to parse the hex string and detect an
> integer overflow at the same time. If an overflow occurs, then
> an 4XX message is appropriate (400 Bad Request  rather than
> 413 Request Entity Too Large)

I mostly agree on the codes (not that it matters that much if it's
400 or 413, but I'm sure Roy has an opinion on this). I would think
that 400 makes sense for overflow, but then again, if we can't
handle the size it's not really a bad request...

> Then, as a second step (if the number parsed all right, even if it
> was incredibly long, as in this chunk of 33 bytes:
>  000000000000000000000000000000000000000000000000000000021 CRLF
> ) we can try and verify whether we accept the size. For that, we
> have an upper limit defined by "LimitRequestBody bytes".
> Anything beyond that can impossibly be accepted.

With this I completely agree with, but I think this is already
happening. I'd need to review the code to be sure.

Thanks for the leading-zeros hint, I'll fix that momentarily.


View raw message