From e7ee5e3f752b4c88f8c5790c7dd8676202523b6c Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Thu, 2 Jul 2020 07:54:52 +0200 Subject: [PATCH] increase max headers to 64 to cope with modern browsers + proxy combinations This is mostly a "do not allow infinity headers" limit in the sense of "it's good to have limits". With modern browsers and users behind proxies we may actually get over 30 headers, so increase it for now to 64 - hopefully enough for another decade ;) Signed-off-by: Thomas Lamprecht Reported-by: Victor Hooi --- PVE/APIServer/AnyEvent.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm index efb8168..c55da7f 100644 --- a/PVE/APIServer/AnyEvent.pm +++ b/PVE/APIServer/AnyEvent.pm @@ -46,7 +46,7 @@ use HTTP::Response; use Data::Dumper; use JSON; -my $limit_max_headers = 30; +my $limit_max_headers = 64; my $limit_max_header_size = 8*1024; my $limit_max_post = 64*1024; @@ -1184,7 +1184,7 @@ sub unshift_read_header { eval { # print "$$: got header: $line\n" if $self->{debug}; - die "to many http header lines\n" if ++$state->{count} >= $limit_max_headers; + die "too many http header lines (> $limit_max_headers)\n" if ++$state->{count} >= $limit_max_headers; die "http header too large\n" if ($state->{size} += length($line)) >= $limit_max_header_size; my $r = $reqstate->{request};