|
|
Boost : |
Subject: Re: [boost] [Beast] Security issue note
From: Vinnie Falco (vinnie.falco_at_[hidden])
Date: 2017-06-28 11:16:49
On Wed, Jun 28, 2017 at 1:06 AM, Artyom Beilis via Boost
<boost_at_[hidden]> wrote:
> In CppCMS I use 1MB for generic content type and 64MB for
> multipart/form-data (that goes to filesystem - not memory...)
> ...
> 8MB for post and for files 2MB per file up to 20 files.
Well, Beast doesn't know anything about content type or multipart
encoding so I can only realistically set a default depending on
whether it is a request or a response. I will leave it at 1MB for
requests and 8MB for responses. Servers will have more connections so
it makes sense for the limit to be lower.
I also added an "on_header" callback feature to beast::http::parser so
that users can set the limit after receiving the header based on the
contents. This allows for the type of logic you are describing; the
limit may be conditionally set depending on the value of Content-Type.
The benefit of the callback is that it does not require that the HTTP
message is read in two I/Os (first the header then the body).
This is in the "v70" branch which will be merged today (Wednesday)
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk