Merge branch 'max-header-lines'

daurnimator · daurnimator · commit 1c82ccc6dca0 · 2017-05-27T19:20:12.000+10:00
diff --git a/doc/modules/http.h1_stream.md b/doc/modules/http.h1_stream.md
@@ -9,6 +9,11 @@ The gzip transfer encoding is supported transparently.
 See [`stream.connection`](#stream.connection)
 
 
+### `h1_stream.max_header_lines` <!-- --> {#http.h1_stream.max_header_lines}
+
+The maximum number of header lines to read. Default is `100`.
+
+
 ### `h1_stream:checktls()` <!-- --> {#http.h1_stream:checktls}
 
 See [`stream:checktls()`](#stream:checktls)
diff --git a/http/h1_stream.lua b/http/h1_stream.lua
@@ -46,6 +46,7 @@ end
 
 local stream_methods = {
 	use_zlib = has_zlib;
+	max_header_lines = 100;
 }
 for k,v in pairs(stream_common.methods) do
 	stream_methods[k] = v
@@ -321,6 +322,9 @@ function stream_methods:read_headers(timeout)
 
 	-- Use while loop for lua 5.1 compatibility
 	while true do
+		if headers:len() >= self.max_header_lines then
+			return nil, ce.strerror(ce.E2BIG), ce.E2BIG
+		end
 		local k, v, errno = self.connection:read_header(0)
 		if k == nil then
 			if v ~= nil then
