http: put a limit on POST size

R=rsc CC=golang-dev https://golang.org/cl/4432076
author: Brad Fitzpatrick <bradfitz@golang.org> 2011-04-27 15:36:39 -0700
committer: Brad Fitzpatrick <bradfitz@golang.org> 2011-04-27 15:36:39 -0700
commit: ec3fe2a5b6aed7fc875cb34825f464c48803965c (patch)
tree: 83b6073214163d6066cc9a90dcfbedd1f5a17798
parent: 6e71e1ca76616bcda23860233c957705bf7685ed (diff)
download: go-ec3fe2a5b6aed7fc875cb34825f464c48803965c.tar.gz
go-ec3fe2a5b6aed7fc875cb34825f464c48803965c.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/src/pkg/http/request.go b/src/pkg/http/request.go
index 26039cb623..14a505d9f8 100644
--- a/src/pkg/http/request.go
+++ b/src/pkg/http/request.go
@@ -596,13 +596,17 @@ func (r *Request) ParseForm() (err os.Error) {
 		ct := r.Header.Get("Content-Type")
 		switch strings.Split(ct, ";", 2)[0] {
 		case "text/plain", "application/x-www-form-urlencoded", "":
-			b, e := ioutil.ReadAll(r.Body)
+			const maxFormSize = int64(10 << 20) // 10 MB is a lot of text.
+			b, e := ioutil.ReadAll(io.LimitReader(r.Body, maxFormSize+1))
 			if e != nil {
 				if err == nil {
 					err = e
 				}
 				break
 			}
+			if int64(len(b)) > maxFormSize {
+				return os.NewError("http: POST too large")
+			}
 			e = parseQuery(r.Form, string(b))
 			if err == nil {
 				err = e
author	Brad Fitzpatrick <bradfitz@golang.org>	2011-04-27 15:36:39 -0700
committer	Brad Fitzpatrick <bradfitz@golang.org>	2011-04-27 15:36:39 -0700
commit	ec3fe2a5b6aed7fc875cb34825f464c48803965c (patch)
tree	83b6073214163d6066cc9a90dcfbedd1f5a17798
parent	6e71e1ca76616bcda23860233c957705bf7685ed (diff)
download	go-ec3fe2a5b6aed7fc875cb34825f464c48803965c.tar.gz go-ec3fe2a5b6aed7fc875cb34825f464c48803965c.zip