Opened 9 years ago

Last modified 9 years ago

#4892 defect new

twisted.web server should accept longer headers from clients

Reported by: ivank Owned by:
Priority: normal Milestone:
Component: web Keywords:
Cc: jknight, ivank Branch:
Author:

Description

twisted.web.http.HTTPChannel is a LineReceiver with the default MAX_LENGTH of 16384. But, HTTP clients may send longer headers; for example: 50 cookies * 4KB/cookie results in a ~200KB header line.

Right now, if the client sends a long header, the server disconnects them with no error visible on either side. If a user is tricked into adding several long cookies, they may *never* be able to receive a response from the server again (until they realize it's a cookie problem). There are probably other headers that are infrequently very long (it's not just cookies).

Change History (3)

comment:1 Changed 9 years ago by DefaultCC Plugin

Cc: jknight added

comment:2 Changed 9 years ago by jknight

Any idea if other servers have a max header length, and if so what it is and what they do when reaching it?

comment:3 Changed 9 years ago by ivank

Cc: ivank added
Note: See TracTickets for help on using tickets.