http: put a limit on POST size

R=rsc CC=golang-dev https://golang.org/cl/4432076

http: put a limit on POST size
R=rsc CC=golang-dev https://golang.org/cl/4432076
ec3fe2a5 · Brad Fitzpatrick · 6e71e1ca · ec3fe2a5
Commit ec3fe2a5 authored Apr 27, 2011 by Brad Fitzpatrick
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

request.go src/pkg/http/request.go +5 -1

No files found.
--- a/src/pkg/http/request.go
+++ b/src/pkg/http/request.go
@@ -596,13 +596,17 @@ func (r *Request) ParseForm() (err os.Error) {
 		ct := r.Header.Get("Content-Type")
 		switch strings.Split(ct, ";", 2)[0] {
 		case "text/plain", "application/x-www-form-urlencoded", "":
-			b, e := ioutil.ReadAll(r.Body)
+			const maxFormSize = int64(10 << 20) // 10 MB is a lot of text.
+			b, e := ioutil.ReadAll(io.LimitReader(r.Body, maxFormSize+1))
 			if e != nil {
 				if err == nil {
 					err = e
 				}
 				break
 			}
+			if int64(len(b)) > maxFormSize {
+				return os.NewError("http: POST too large")
+			}
 			e = parseQuery(r.Form, string(b))
 			if err == nil {
 				err = e