[pve-devel] applied: [PATCH http-server] increase max headers to 64 to cope with modern browsers + proxy combinations

[Thomas Lamprecht]

This is mostly a "do not allow infinity headers" limit in the sense
of "it's good to have limits". With modern browsers and users behind
proxies we may actually get over 30 headers, so increase it for now
to 64 - hopefully enough for another decade ;)

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
Reported-by: Victor Hooi <victorhooi at yahoo.com>
---
 PVE/APIServer/AnyEvent.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index efb8168..c55da7f 100644
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -46,7 +46,7 @@ use HTTP::Response;
 use Data::Dumper;
 use JSON;
 
-my $limit_max_headers = 30;
+my $limit_max_headers = 64;
 my $limit_max_header_size = 8*1024;
 my $limit_max_post = 64*1024;
 
@@ -1184,7 +1184,7 @@ sub unshift_read_header {
 	eval {
 	    # print "$$: got header: $line\n" if $self->{debug};
 
-	    die "to many http header lines\n" if ++$state->{count} >= $limit_max_headers;
+	    die "too many http header lines (> $limit_max_headers)\n" if ++$state->{count} >= $limit_max_headers;
 	    die "http header too large\n" if ($state->{size} += length($line)) >= $limit_max_header_size;
 
 	    my $r = $reqstate->{request};
-- 
2.20.1