From afe0681c0b26bb64bad55d7e86770f346cfa043e Mon Sep 17 00:00:00 2001 From: Xavier Del Campo Romero Date: Mon, 19 Feb 2024 23:00:56 +0100 Subject: Limit maximum multipart/form-data pairs and files A malicious user could inject an infinite number of empty files or key/value pairs into a request in order to exhaust the device's resources. --- doc/man7/libweb_handler.7 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'doc/man7/libweb_handler.7') diff --git a/doc/man7/libweb_handler.7 b/doc/man7/libweb_handler.7 index f975444..bf47567 100644 --- a/doc/man7/libweb_handler.7 +++ b/doc/man7/libweb_handler.7 @@ -76,6 +76,7 @@ struct handler_cfg int (*\fIlength\fP)(unsigned long long len, const struct http_cookie *c, struct http_response *r, void *user); void *\fIuser\fP; size_t \fImax_headers\fP; + struct http_cfg_post \fIpost\fP; }; .EE .in @@ -83,9 +84,10 @@ struct handler_cfg .IR tmpdir , .IR length , -.I user -and +.IR user , .I max_headers +and +.I post are passed directly to the .I struct http_cfg object used to initialize a -- cgit v1.2.3