Description
Seastar's HTTP server reads each header as a contiguous string, and saves all of them in memory before calling the application-defined handler. A malicious user can force Seastar to allocate unlimited amount of contiguous memory (for a single header) or non-contiguous memory (with many headers), and potentially crash the application with an OOM. The same problem also exists for the request line (the URL). It also needs to be limited, for the same reason.
I am marking this issue a "bug" and not an "enhancement" because this issue can be used to OOM any Seastar application with any sort of HTTP server or REST API, and because the bug must be fixed in Seastar and can't be fixed or worked around by the application. scylladb/scylladb#23438 is for example a ScyllaDB issue caused by this issue.
This missing feature must be implemented in Seastar - it can't be implemented in the application using Seastar because the application's handler gets called only after the URL and the headers have been fully read into memory by Seastar.
Other HTTP servers typically have very low length limits for both the URL and the headers. Apache Httpd defaults to a limit of 8 KB for each, and AWS DynamoDB's server has a limit of 16 KB. Larger URLs or headers are not useful, and there is no interesting reason to support them - although if we wish we could make these limits configurable like Apache Httpd does. When the limit is exceeded, servers typically return a 400 Bad Request sometimes accompanied by a message "Request Header or Cookie Too Large".