Limit maximum multipart/form-data pairs and files

A malicious user could inject an infinite number of empty files or key/value pairs into a request in order to exhaust the device's resources.
author: Xavier Del Campo Romero <xavi.dcr@tutanota.com> 2024-02-19 23:00:56 +0100
committer: Xavier Del Campo Romero <xavi.dcr@tutanota.com> 2024-02-19 23:00:56 +0100
commit: afe0681c0b26bb64bad55d7e86770f346cfa043e (patch)
tree: 420dbf3084332bf1750d0986ea118b427aed7364 /include
parent: 9d9e0c2979f43297b2ebbf84f14f064f3f9ced0e (diff)
download: libweb-afe0681c0b26bb64bad55d7e86770f346cfa043e.tar.gz
2 files changed, 6 insertions, 0 deletions
diff --git a/include/libweb/handler.h b/include/libweb/handler.h
index 493e24c..72ef1e0 100644
--- a/include/libweb/handler.h
+++ b/include/libweb/handler.h
@@ -14,6 +14,7 @@ struct handler_cfg
         struct http_response *r, void *user);
     void *user;
     size_t max_headers;
+    struct http_cfg_post post;
 };
 
 struct handler *handler_alloc(const struct handler_cfg *cfg);
diff --git a/include/libweb/http.h b/include/libweb/http.h
index 7af66b5..4e80570 100644
--- a/include/libweb/http.h
+++ b/include/libweb/http.h
@@ -106,6 +106,11 @@ struct http_cfg
     const char *tmpdir;
     void *user;
     size_t max_headers;
+
+    struct http_cfg_post
+    {
+        size_t max_pairs, max_files;
+    } post;
 };
 
 struct http_ctx *http_alloc(const struct http_cfg *cfg);
author	Xavier Del Campo Romero <xavi.dcr@tutanota.com>	2024-02-19 23:00:56 +0100
committer	Xavier Del Campo Romero <xavi.dcr@tutanota.com>	2024-02-19 23:00:56 +0100
commit	afe0681c0b26bb64bad55d7e86770f346cfa043e (patch)
tree	420dbf3084332bf1750d0986ea118b427aed7364 /include
parent	9d9e0c2979f43297b2ebbf84f14f064f3f9ced0e (diff)
download	libweb-afe0681c0b26bb64bad55d7e86770f346cfa043e.tar.gz