From: "mame (Yusuke Endoh) via ruby-core" Date: 2024-02-14T13:42:26+00:00 Subject: [ruby-core:116750] [Ruby master Bug#20247] net/http/header limits are too low Issue #20247 has been updated by mame (Yusuke Endoh). Status changed from Open to Closed Discussed at the dev meeting. This header length limit was introduced to enhance security. Accepting unlimitedly long headers may lead to DoS in some cases. Therefore, we have no plan to revert this limit and are cautious about making it configurable. If there are many such use cases, it may be considered. But for the time being, please redefine `Net::HTTPHeader::MAX_KEY_LENGTH`, etc. (BTW, there is currently no limit on the total number of headers, but we may limit it too.) ---------------------------------------- Bug #20247: net/http/header limits are too low https://bugs.ruby-lang.org/issues/20247#change-106769 * Author: dpsi (Darien Imai) * Status: Closed * Priority: Normal * ruby -v: ruby 3.3.0 (2023-12-25 revision 5124f9ac75) +YJIT [x86_64-linux] * Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN ---------------------------------------- Hello, some of my HTTP tests are failing on Ruby 3.3 due to ArgumentError too long. I am trying to update from Ruby 2.7. I did not see any mention of this change in the net/http changelog, but looking at git history, the limit was added between gem versions 0.3.2 and 0.4.0. https://github.com/ruby/ruby/commit/d8b8294c28a09278de357c26b291abf1b9f3cc5d I send HTTP requests with long header keys in my testing suite. Many webservers such as apache, nginx, IIS permit the total length of HTTP headers to be 8K or longer. Tomcat for example allows 48K. I am trying to send a request with a header key length of 24K. I think the limit of 1K is too low. There was not a clear reason for the change, so I request that it gets reverted. Alternatively the limit could be configurable. The code being affected by the limit was written for Ruby 1.8, so I am surprised such longstanding behaviour was removed without being listed in the changelog. -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/