Subject: Re: [boost] [Beast] Security issue note
From: Vinnie Falco (vinnie.falco_at_[hidden])
Date: 2017-06-28 11:16:49
On Wed, Jun 28, 2017 at 1:06 AM, Artyom Beilis via Boost
<boost_at_[hidden]> wrote:
> In CppCMS I use 1MB for generic content type and 64MB for
> multipart/form-data (that goes to filesystem - not memory...)
> ...
> 8MB for post and for files 2MB per file up to 20 files.
Well, Beast doesn't know anything about content type or multipart
encoding so I can only realistically set a default depending on
whether it is a request or a response. I will leave it at 1MB for
requests and 8MB for responses. Servers will have more connections so
it makes sense for the limit to be lower.
I also added an "on_header" callback feature to beast::http::parser so
that users can set the limit after receiving the header based on the
contents. This allows for the type of logic you are describing; the
limit may be conditionally set depending on the value of Content-Type.
The benefit of the callback is that it does not require that the HTTP
message is read in two I/Os (first the header then the body).
This is in the "v70" branch which will be merged today (Wednesday)