From be6bd29b2092cbdb420224ebbb1247432560c8a5 Mon Sep 17 00:00:00 2001
From: psychon <psychon@726aef4b-f618-498e-8847-2d620e286838>
Date: Mon, 6 Jul 2009 17:07:03 +0000
Subject: [PATCH] Limit HTTP POST data size to 1MiB

We need to have an upper limit of the size of HTTP POST data. With the current
code you could just send 4 GiB of data to webadmin and ZNC would try to keep all
of this in memory.

This patch implements an upper limit for HTTP POST data of 1 MiB.

Thanks to cnu for finding this.


git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1559 726aef4b-f618-498e-8847-2d620e286838
---
 HTTPSock.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/HTTPSock.cpp b/HTTPSock.cpp
index 6bdac592..e4a92b32 100644
--- a/HTTPSock.cpp
+++ b/HTTPSock.cpp
@@ -11,6 +11,8 @@
 #include "HTTPSock.h"
 #include "znc.h"
 
+#define MAX_POST_SIZE	1024 * 1024
+
 CHTTPSock::CHTTPSock(CModule *pMod) : CSocket(pMod) {
 	Init();
 }
@@ -77,6 +79,8 @@ void CHTTPSock::ReadLine(const CString& sData) {
 		m_bLoggedIn = OnLogin(m_sUser, m_sPass);
 	} else if (sName.Equals("Content-Length:")) {
 		m_uPostLen = sLine.Token(1).ToULong();
+		if (m_uPostLen > MAX_POST_SIZE)
+			PrintErrorPage(413, "Request Entity Too Large", "The request you sent was too large.");
 	} else if (sName.Equals("If-None-Match:")) {
 		// this is for proper client cache support (HTTP 304) on static files:
 		m_sIfNoneMatch = sLine.Token(1, true);