Skip to content

🥅 Validate response literal byte size format#681

Merged
nevans merged 1 commit into
masterfrom
response_reader-strict-literal_size
May 18, 2026
Merged

🥅 Validate response literal byte size format#681
nevans merged 1 commit into
masterfrom
response_reader-strict-literal_size

Conversation

@nevans
Copy link
Copy Markdown
Collaborator

@nevans nevans commented May 18, 2026

This guards against numbers like 99999999999999999999.

This isn't a security issue (unless max_response_size is set to nil). But it's reasonable to block too large numbers in both the response reader and the response parser, regardless of that config setting.

Note also that this still allows strings like 000000000000000001. This is goofy, but it's how the RFCs are written! (See #680.)

@nevans
🥅 Validate server's literal byte size format
ead5f8b 
This guards against numbers like `99999999999999999999`.

This isn't a security issue unless `max_response_size` is `nil`.  But
it's reasonable to block too large numbers in both the response reader
and the response parser, regardless of that config setting.

Note also that this still _allows_ strings like `000000000000000001`.
This is goofy, but it's how the RFCs are written!
@nevans nevans merged commit 0d508fa into master May 18, 2026
39 checks passed
@nevans nevans deleted the response_reader-strict-literal_size branch May 18, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nevans