From afe0681c0b26bb64bad55d7e86770f346cfa043e Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Mon, 19 Feb 2024 23:00:56 +0100
Subject: Limit maximum multipart/form-data pairs and files

A malicious user could inject an infinite number of empty files or
key/value pairs into a request in order to exhaust the device's
resources.
---
 doc/man7/libweb_http.7 | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'doc/man7/libweb_http.7')

diff --git a/doc/man7/libweb_http.7 b/doc/man7/libweb_http.7
index 0beb686..de627cb 100644
--- a/doc/man7/libweb_http.7
+++ b/doc/man7/libweb_http.7
@@ -94,6 +94,11 @@ struct http_cfg
     const char *\fItmpdir\fP;
     void *\fIuser\fP;
     size_t \fImax_headers\fP;
+
+    struct http_cfg_post
+    {
+        size_t \fImax_pairs\fP, \fImax_files\fP;
+    } \fIpost\fP;
 };
 .EE
 .in
@@ -221,6 +226,31 @@ Any extra headers sent by the client outside this maximum value shall be
 silently ignored by
 .IR libweb .
 
+.I post
+contains configuration parameters specific to
+.B POST
+requests:
+
+.I max_pairs
+refers to the maximum number of key/value pairs that shall be accepted by
+.I libweb
+on
+.B POST
+.IR multipart/form-data -encoded
+requests. If the maximum number of pairs is exceeded by the request,
+.I libweb
+shall terminate the connection.
+
+.I max_files
+refers to the maximum number of files that shall be accepted by
+.I libweb
+on
+.B POST
+.IR multipart/form-data -encoded
+requests. If the maximum number of files is exceeded by the request,
+.I libweb
+shall terminate the connection.
+
 .SS HTTP payload
 
 When a client submits a request to the server,
-- 
cgit v1.2.3