Subject: Re: [boost] [Beast] Security issue note
From: Artyom Beilis (artyom.beilis_at_[hidden])
Date: 2017-07-01 10:21:47
I also added an "on_header" callback feature to beast::http::parser so
that users can set the limit after receiving the header based on the
contents. This allows for the type of logic you are describing; the
limit may be conditionally set depending on the value of Content-Type.
The benefit of the callback is that it does not require that the HTTP
message is read in two I/Os (first the header then the body).
This is something I did in CppCMS as well at some point. However this
approach still has a certain design flaw I couldn't fix in CppCMS without
significant API changes.
Between the header analysis and content handling there may be need for
doing some blocking or async IO. For example accessing session stored in
SQL server using Id defined by cookies to get user limits/roles.
So I suggest keeping an option for separate headers and body processing.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk