From c7fdfe72a7681dcf28c405fe365a4edc51df10f0 Mon Sep 17 00:00:00 2001 From: Ilya Kreymer Date: Tue, 12 Nov 2019 12:38:01 -0800 Subject: [PATCH] Restrict POST query size (#519) * indexing: restrict POST body appended to query to 16384, avoid reading very large POST requests on indexing --- pywb/warcserver/inputrequest.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/pywb/warcserver/inputrequest.py b/pywb/warcserver/inputrequest.py index f910d2e3..f616648e 100644 --- a/pywb/warcserver/inputrequest.py +++ b/pywb/warcserver/inputrequest.py @@ -181,6 +181,8 @@ class POSTInputRequest(DirectWSGIInputRequest): # ============================================================================ class MethodQueryCanonicalizer(object): + MAX_POST_SIZE = 16384 + def __init__(self, method, mime, length, stream, buffered_stream=None, environ=None): @@ -210,7 +212,9 @@ class MethodQueryCanonicalizer(object): if length <= 0: return - query = b'' + # max POST query allowed, for size considerations, only read upto this size + length = min(length, self.MAX_POST_SIZE) + query = [] while length > 0: buff = stream.read(length) @@ -219,7 +223,9 @@ class MethodQueryCanonicalizer(object): if not buff: break - query += buff + query.append(buff) + + query = b''.join(query) if buffered_stream: buffered_stream.write(query)