Merge commit from fork

Co-authored-by: SimulPiscator <simul.piscator@github.com>

Author: SimulPiscator

web/httpserver.cpp

@@ -19,6 +19,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #include "httpserver.h"
 
 #include <atomic>
+#include <cmath>
 #include <cstring>
 #include <ctime>
 #include <sstream>
@@ -44,6 +45,8 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #include "basic/fdbuf.h"
 #include "errorpage.h"
 
+static const int kMaxRequestLength = 1024 * 1024; // bytes
+
 const char* HttpServer::HTTP_GET = "GET";
 const char* HttpServer::HTTP_POST = "POST";
 const char* HttpServer::HTTP_DELETE = "DELETE";
@@ -386,7 +389,7 @@ struct HttpServer::Private
     fdbuf buf(fd);
     std::istream is(&buf);
     std::ostream os(&buf);
-    Request request(is);
+    Request request(is, kMaxRequestLength);
     Response response(os);
     if (!request.isValid()) {
       response.setStatus(HTTP_BAD_REQUEST);
@@ -722,9 +725,10 @@ HttpServer::Response::sendHeaders()
   return mpChunkstream ? *mpChunkstream : mStream;
 }
 
-HttpServer::Request::Request(std::istream& is)
+HttpServer::Request::Request(std::istream& is, int maxLength)
   : mStream(is)
   , mValid(true)
+  , mContentLength(-1)
 {
   std::string line;
   if (std::getline(is, line)) {
@@ -747,6 +751,15 @@ HttpServer::Request::Request(std::istream& is)
       }
     }
   }
+  if (mHeaders.hasKey(HTTP_HEADER_CONTENT_LENGTH)) {
+    double length = mHeaders.getNumber(HTTP_HEADER_CONTENT_LENGTH);
+    if (std::isnan(length) || length > maxLength) {
+      mValid = false;
+    }
+    else {
+      mContentLength = length;
+    }
+  }
 }
 
 const std::string&
@@ -784,14 +797,6 @@ HttpServer::Request::formData() const
   return mFormData;
 }
 
-int
-HttpServer::Request::contentLength() const
-{
-  return mHeaders.hasKey(HTTP_HEADER_CONTENT_LENGTH)
-           ? mHeaders.getNumber(HTTP_HEADER_CONTENT_LENGTH)
-           : -1;
-}
-
 std::ostream&
 HttpServer::Request::print(std::ostream& os) const
 {

web/httpserver.h

@@ -98,14 +98,14 @@ class HttpServer
   class Request
   {
   public:
-    explicit Request(std::istream&);
+    Request(std::istream&, int maxLength);
     bool isValid() const { return mValid; }
     const std::string& uri() const { return mUri; }
     const std::string& method() const { return mMethod; }
     const std::string& protocol() const { return mProtocol; }
     const std::string& header(const std::string& s) const;
     const Dictionary& headers() const { return mHeaders; }
-    int contentLength() const;
+    int contentLength() const { return mContentLength; }
     const std::string& content() const;
     bool hasFormData() const;
     const Dictionary& formData() const;
@@ -118,6 +118,7 @@ class HttpServer
     bool mValid;
     std::string mUri, mMethod, mProtocol, mLogInfo;
     Dictionary mHeaders;
+    int mContentLength;
     mutable std::string mContent;
     mutable Dictionary mFormData;
   };