Le dim. 21 juil. 2019 à 22:08, Florian Weimer <f...@deneb.enyo.de> a écrit :
> * Jérémy Lal: > > > I believe this commit should partly be applied to http-parser: > > https://github.com/nodejs/node/commit/a8532d4d2 > > > > Specifically setting HTTP_MAX_HEADER_SIZE to a more reasonnable > > default (8192 instead of 81920 bytes) should be good for all other > > software depending on http-parser... > > The default limit doesn't look so bad to me. The kernel will happily > allocate much more for a typical TCP connection, for example. > This is a comparison between apples (tcp level) and bananas (application level), so i think it's not a valid argument. > Lowering the limit in a Debian release could introduce regressions. > Indeed, it could, in theory. However most (probably all...) web servers set default limits on that value, to get a rough idea one can have a look at https://stackoverflow.com/questions/686217/maximum-on-http-header-values Also note the vulnerability is tagged as *high*. Meaning there's a good chance other software using http-parser is affected. Ruby ? Python ? Jérémy Jérémy
