diff options
author | Brad Fitzpatrick <bradfitz@golang.org> | 2011-04-27 15:36:39 -0700 |
---|---|---|
committer | Brad Fitzpatrick <bradfitz@golang.org> | 2011-04-27 15:36:39 -0700 |
commit | ec3fe2a5b6aed7fc875cb34825f464c48803965c (patch) | |
tree | 83b6073214163d6066cc9a90dcfbedd1f5a17798 | |
parent | 6e71e1ca76616bcda23860233c957705bf7685ed (diff) | |
download | go-ec3fe2a5b6aed7fc875cb34825f464c48803965c.tar.gz go-ec3fe2a5b6aed7fc875cb34825f464c48803965c.zip |
http: put a limit on POST size
R=rsc
CC=golang-dev
https://golang.org/cl/4432076
-rw-r--r-- | src/pkg/http/request.go | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/pkg/http/request.go b/src/pkg/http/request.go index 26039cb623..14a505d9f8 100644 --- a/src/pkg/http/request.go +++ b/src/pkg/http/request.go @@ -596,13 +596,17 @@ func (r *Request) ParseForm() (err os.Error) { ct := r.Header.Get("Content-Type") switch strings.Split(ct, ";", 2)[0] { case "text/plain", "application/x-www-form-urlencoded", "": - b, e := ioutil.ReadAll(r.Body) + const maxFormSize = int64(10 << 20) // 10 MB is a lot of text. + b, e := ioutil.ReadAll(io.LimitReader(r.Body, maxFormSize+1)) if e != nil { if err == nil { err = e } break } + if int64(len(b)) > maxFormSize { + return os.NewError("http: POST too large") + } e = parseQuery(r.Form, string(b)) if err == nil { err = e |