kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit 0647901ef5ccccdd970cd3d63c4d09dde27a7175
parent 0c47574fe9e6ea2d585aa067a92404e4c4770b75
Author: Joris Vink <joris@coders.se>
Date:   Fri,  8 Jan 2016 17:54:40 +0100

Improve http_body_max directive a bit.

Allow setting it to 0 which will disable HTTP requests
that have a body (POST/PUT).

Reduce default http_body_max to 1MB by default, 10MB seems large.

Revisit to this code inspired by #100.

Diffstat:
conf/kore.conf.example | 5+++--
includes/http.h | 2+-
includes/kore.h | 6+++---
src/config.c | 2+-
src/http.c | 6++++++
5 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/conf/kore.conf.example b/conf/kore.conf.example @@ -59,7 +59,8 @@ workers 4 # http_header_max Maximum size of HTTP headers (in bytes). # # http_body_max Maximum size of an HTTP body (in bytes). -# +# If set to 0 disallows requests with a body +# all together. # http_keepalive_time Maximum seconds an HTTP connection can be # kept alive by the browser. # (Set to 0 to disable keepalive completely). @@ -71,7 +72,7 @@ workers 4 # http_request_limit Limit the number of requests Kore processes # in a single event loop. #http_header_max 4096 -#http_body_max 10240000 +#http_body_max 1024000 #http_keepalive_time 0 #http_hsts_enable 31536000 #http_request_limit 1000 diff --git a/includes/http.h b/includes/http.h @@ -26,7 +26,7 @@ extern "C" { #define HTTP_KEEPALIVE_TIME 20 #define HTTP_HSTS_ENABLE 31536000 #define HTTP_HEADER_MAX_LEN 4096 -#define HTTP_BODY_MAX_LEN 10240000 +#define HTTP_BODY_MAX_LEN 1024000 #define HTTP_URI_LEN 2000 #define HTTP_USERAGENT_LEN 256 #define HTTP_REQ_HEADER_MAX 25 diff --git a/includes/kore.h b/includes/kore.h @@ -73,11 +73,11 @@ extern int daemon(int, int); #define KORE_DEFAULT_CIPHER_LIST "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!kRSA:!kDSA" #if defined(KORE_DEBUG) -#define kore_debug(fmt, ...) \ +#define kore_debug(...) \ if (kore_debug) \ - kore_debug_internal(__FILE__, __LINE__, fmt, ##__VA_ARGS__) + kore_debug_internal(__FILE__, __LINE__, ##__VA_ARGS__) #else -#define kore_debug(fmt, ...) +#define kore_debug(...) #endif #define NETBUF_RECV 0 diff --git a/src/config.c b/src/config.c @@ -536,7 +536,7 @@ configure_http_body_max(char **argv) return (KORE_RESULT_ERROR); } - http_body_max = kore_strtonum(argv[1], 10, 1, LONG_MAX, &err); + http_body_max = kore_strtonum(argv[1], 10, 0, LONG_MAX, &err); if (err != KORE_RESULT_OK) { printf("bad http_body_max value: %s\n", argv[1]); return (KORE_RESULT_ERROR); diff --git a/src/http.c b/src/http.c @@ -591,6 +591,12 @@ http_header_recv(struct netbuf *nb) } if (req->flags & HTTP_REQUEST_EXPECT_BODY) { + if (http_body_max == 0) { + req->flags |= HTTP_REQUEST_DELETE; + http_error_response(req->owner, 405); + return (KORE_RESULT_OK); + } + if (!http_request_header(req, "content-length", &p)) { kore_debug("expected body but no content-length"); req->flags |= HTTP_REQUEST_DELETE;