http: put a limit on POST size

author Brad Fitzpatrick <bradfitz@golang.org>

Wed, 27 Apr 2011 22:36:39 +0000 (15:36 -0700)

committer Brad Fitzpatrick <bradfitz@golang.org>

Wed, 27 Apr 2011 22:36:39 +0000 (15:36 -0700)
author Brad Fitzpatrick <bradfitz@golang.org>
Wed, 27 Apr 2011 22:36:39 +0000 (15:36 -0700)
committer Brad Fitzpatrick <bradfitz@golang.org>
Wed, 27 Apr 2011 22:36:39 +0000 (15:36 -0700)
diff --git a/src/pkg/http/request.go b/src/pkg/http/request.go

index 26039cb623e33553bb5dae2572aef472e5f18287..14a505d9f84f3329bea4a6493380d9e367603455 100644 (file)
--- a/src/pkg/http/request.go
+++ b/src/pkg/http/request.go
@@ -596,13 +596,17 @@ func (r *Request) ParseForm() (err os.Error) {
                 ct := r.Header.Get("Content-Type")
                 switch strings.Split(ct, ";", 2)[0] {
                 case "text/plain", "application/x-www-form-urlencoded", "":
-                       b, e := ioutil.ReadAll(r.Body)
+                       const maxFormSize = int64(10 << 20) // 10 MB is a lot of text.
+                       b, e := ioutil.ReadAll(io.LimitReader(r.Body, maxFormSize+1))
                         if e != nil {
                                 if err == nil {
                                         err = e
                                 }
                                 break
                         }
+                       if int64(len(b)) > maxFormSize {
+                               return os.NewError("http: POST too large")
+                       }
                         e = parseQuery(r.Form, string(b))
                         if err == nil {
                                 err = e
author	Brad Fitzpatrick <bradfitz@golang.org>
	Wed, 27 Apr 2011 22:36:39 +0000 (15:36 -0700)
committer	Brad Fitzpatrick <bradfitz@golang.org>
	Wed, 27 Apr 2011 22:36:39 +0000 (15:36 -0700)