auth web: make max request/response body size configurable

diff --git a/docs/http-api/index.rst b/docs/http-api/index.rst
index 55cf9bcc90e2467f7c14ce14dbbade5d2dfed66f..0b54204ece0b296c37de0281f261d861128e70f8 100644 (file)
--- a/docs/http-api/index.rst
+++ b/docs/http-api/index.rst
@@ -19,6 +19,7 @@ The following webserver related configuration items are available:
 * :ref:`setting-webserver-password`: If set, viewers will have to enter this plaintext password in order to gain access to the statistics, in addition to entering the configured API key on the index page.
 * :ref:`setting-webserver-port`: Port to bind the webserver to.
 * :ref:`setting-webserver-allow-from`: Netmasks that are allowed to connect to the webserver
+* :ref:`setting-webserver-max-bodysize`: Maximum request/response body size in megabytes
 
 Enabling the API
 ----------------

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index bd57fc54235208771682b01da17d0c3a1d5e146d..f562c2258528c1b8c8fd9159ad9999c014cb0e4a 100644 (file)
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -151,6 +151,7 @@ void declareArguments()
   ::arg().set("webserver-password","Password required for accessing the webserver")="";
   ::arg().set("webserver-allow-from","Webserver/API access is only allowed from these subnets")="127.0.0.1,::1";
   ::arg().set("webserver-loglevel", "Amount of logging in the webserver (none, normal, detailed)") = "normal";
+  ::arg().set("webserver-max-bodysize","Webserver/API maximum request/response body size in megabytes")="2";
 
   ::arg().setSwitch("do-ipv6-additional-processing", "Do AAAA additional processing")="yes";
   ::arg().setSwitch("query-logging","Hint backends that queries should be logged")="no";

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index a867200c42503031e563404f35141b8dcb27045a..17f1b781e21f4ccc54960aa8f91a47b87163b649 100644 (file)
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -1725,6 +1725,15 @@ The value between the hooks is a UUID that is generated for each request. This c
 .. note::
   The webserver logs these line on the NOTICE level. The :ref:`settings-loglevel` seting must be 5 or higher for these lines to end up in the log.
 
+.. _setting-webserver-max-bodysize:
+
+``webserver-max-bodysize``
+--------------------------
+-  Integer
+-  Default: 2
+
+Maximum request/response body size in megabytes.
+
 .. _setting-webserver-password:
 
 ``webserver-password``

diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index a168559e178505720390c4f6c9957c6f8bc8ce17..3ec2a265c81f3dcb83b60d1047205df35fd14e11 100644 (file)
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -344,12 +344,14 @@ void WebServer::serveConnection(std::shared_ptr<Socket> client) const {
 
   HttpRequest req(logprefix);
   HttpResponse resp;
+  resp.max_response_size=d_maxbodysize;
   ComboAddress remote;
   string reply;
 
   try {
     YaHTTP::AsyncRequestLoader yarl;
     yarl.initialize(&req);
+    req.max_request_size=d_maxbodysize;
     int timeout = 5;
     client->setNonBlocking();
 
@@ -406,7 +408,8 @@ void WebServer::serveConnection(std::shared_ptr<Socket> client) const {
 WebServer::WebServer(const string &listenaddress, int port) :
   d_listenaddress(listenaddress),
   d_port(port),
-  d_server(nullptr)
+  d_server(nullptr),
+  d_maxbodysize(2*1024*1024)
 {
 }
 

diff --git a/pdns/webserver.hh b/pdns/webserver.hh
index 500f157044fb358e0607b5b067ae3c6343a8d214..f2c7f7496df3bb1952fa0fd4fc8dac3f820097f7 100644 (file)
--- a/pdns/webserver.hh
+++ b/pdns/webserver.hh
@@ -171,6 +171,10 @@ public:
     d_webserverPassword = password;
   }
 
+  void setMaxBodySize(ssize_t s) { // in megabytes
+    d_maxbodysize = s * 1024 * 1024;
+  }
+
   void setACL(const NetmaskGroup &nmg) {
     d_acl = nmg;
   }
@@ -238,6 +242,8 @@ protected:
   std::string d_webserverPassword;
   bool d_registerWebHandlerCalled{false};
 
+  ssize_t d_maxbodysize; // in bytes
+
   NetmaskGroup d_acl;
 
   const string d_logprefix = "[webserver] ";

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index e3f32a5099eb93aea126e64406127e5645db37d2..57489a25131c6d73c20b208e6a1054881c6c9e63 100644 (file)
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -78,6 +78,8 @@ AuthWebServer::AuthWebServer() :
     acl.toMasks(::arg()["webserver-allow-from"]);
     d_ws->setACL(acl);
 
+    d_ws->setMaxBodySize(::arg().asNum("webserver-max-bodysize"));
+
     d_ws->bind();
   }
 }