Commit 937a3ee0 authored by Petr Špaček's avatar Petr Špaček

doh: limit max query size to 1024 B

The value is kind of arbitrary, as precaution. 64k value was causing
cqueues to close connections with GET requests with "Broken pipe"
and it seems to work with 1024 B.
parent 93df1fe3
......@@ -20,13 +20,13 @@ local function serve_doh(h, stream)
local input
local method = h:get(':method')
if method == 'POST' then
input = stream:get_body_chars(65536, 2) -- read timeout = KR_CONN_RTT_MAX
input = stream:get_body_chars(1025, 2) -- read timeout = KR_CONN_RTT_MAX
elseif method == 'GET' then
local input_b64 = string.match(h:get(':path'), '^/doh%?dns=([a-zA-Z0-9_-]+)$')
if not input_b64 then
return 400, 'base64url query not found'
end
if #input_b64 > 87380 then -- base64url encode 65535
if #input_b64 > 1368 then -- base64url encode 1024
return 414, 'query parameter in URI too long'
end
input = basexx.from_url64(input_b64)
......@@ -39,7 +39,7 @@ local function serve_doh(h, stream)
if #input < 12 then
return 400, 'input too short'
elseif #input > 65535 then
elseif #input > 1024 then
return 413, 'input too long'
end
......
......@@ -167,21 +167,21 @@ else
local function test_post_long_input()
local req = assert(req_templ:clone())
req.headers:upsert(':method', 'POST')
req:set_body(string.rep('s', 65536)) -- > DNS msg over UDP
req:set_body(string.rep('s', 1025)) -- > DNS msg over UDP
check_err(req, '413', 'too long POST finishes with 413')
end
local function test_get_long_input()
local req = assert(req_templ:clone())
req.headers:upsert(':method', 'GET')
req.headers:upsert(':path', '/doh?dns=' .. basexx.to_url64(string.rep('s', 65536)))
req.headers:upsert(':path', '/doh?dns=' .. basexx.to_url64(string.rep('\0', 1030)))
check_err(req, '414', 'too long GET finishes with 414')
end
local function test_post_unparseable_input()
local req = assert(req_templ:clone())
req.headers:upsert(':method', 'POST')
req:set_body(string.rep('\0', 65535)) -- garbage
req:set_body(string.rep('\0', 1024)) -- garbage
check_err(req, '400', 'unparseable DNS message finishes with 400')
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment