From afe0681c0b26bb64bad55d7e86770f346cfa043e Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Mon, 19 Feb 2024 23:00:56 +0100
Subject: Limit maximum multipart/form-data pairs and files

A malicious user could inject an infinite number of empty files or
key/value pairs into a request in order to exhaust the device's
resources.
---
 include/libweb/handler.h | 1 +
 include/libweb/http.h    | 5 +++++
 2 files changed, 6 insertions(+)

(limited to 'include')

diff --git a/include/libweb/handler.h b/include/libweb/handler.h
index 493e24c..72ef1e0 100644
--- a/include/libweb/handler.h
+++ b/include/libweb/handler.h
@@ -14,6 +14,7 @@ struct handler_cfg
         struct http_response *r, void *user);
     void *user;
     size_t max_headers;
+    struct http_cfg_post post;
 };
 
 struct handler *handler_alloc(const struct handler_cfg *cfg);
diff --git a/include/libweb/http.h b/include/libweb/http.h
index 7af66b5..4e80570 100644
--- a/include/libweb/http.h
+++ b/include/libweb/http.h
@@ -106,6 +106,11 @@ struct http_cfg
     const char *tmpdir;
     void *user;
     size_t max_headers;
+
+    struct http_cfg_post
+    {
+        size_t max_pairs, max_files;
+    } post;
 };
 
 struct http_ctx *http_alloc(const struct http_cfg *cfg);
-- 
cgit v1.2.3