auth web: make max request/response body size configurable

(cherry picked from commit 214b034e99eee03ab9c364fab11921be61942b15)

diff --git a/docs/http-api/index.rst b/docs/http-api/index.rst
index 55cf9bcc90e2467f7c14ce14dbbade5d2dfed66f..0b54204ece0b296c37de0281f261d861128e70f8 100644 (file)
--- a/docs/http-api/index.rst
+++ b/docs/http-api/index.rst
@@ -19,6 +19,7 @@ The following webserver related configuration items are available:
 * :ref:`setting-webserver-password`: If set, viewers will have to enter this plaintext password in order to gain access to the statistics, in addition to entering the configured API key on the index page.
 * :ref:`setting-webserver-port`: Port to bind the webserver to.
 * :ref:`setting-webserver-allow-from`: Netmasks that are allowed to connect to the webserver
+* :ref:`setting-webserver-max-bodysize`: Maximum request/response body size in megabytes
 
 Enabling the API
 ----------------

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 016a77aa74113870765648a642f67c0dad30b0a7..df6053922f4c2fbbf174dad8b32cd91f7085bc37 100644 (file)
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -150,6 +150,7 @@ void declareArguments()
   ::arg().set("webserver-password","Password required for accessing the webserver")="";
   ::arg().set("webserver-allow-from","Webserver/API access is only allowed from these subnets")="127.0.0.1,::1";
   ::arg().set("webserver-loglevel", "Amount of logging in the webserver (none, normal, detailed)") = "normal";
+  ::arg().set("webserver-max-bodysize","Webserver/API maximum request/response body size in megabytes")="2";
 
   ::arg().setSwitch("do-ipv6-additional-processing", "Do AAAA additional processing")="yes";
   ::arg().setSwitch("query-logging","Hint backends that queries should be logged")="no";

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index a867200c42503031e563404f35141b8dcb27045a..17f1b781e21f4ccc54960aa8f91a47b87163b649 100644 (file)
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -1725,6 +1725,15 @@ The value between the hooks is a UUID that is generated for each request. This c
 .. note::
   The webserver logs these line on the NOTICE level. The :ref:`settings-loglevel` seting must be 5 or higher for these lines to end up in the log.
 
+.. _setting-webserver-max-bodysize:
+
+``webserver-max-bodysize``
+--------------------------
+-  Integer
+-  Default: 2
+
+Maximum request/response body size in megabytes.
+
 .. _setting-webserver-password:
 
 ``webserver-password``

diff --git a/pdns/webserver.cc b/pdns/webserver.cc
index fa8df4837f9086117613c400aa79e9e911853755..3b1d00b290dca464fca31a2c9c5e9956ca9177b3 100644 (file)
--- a/pdns/webserver.cc
+++ b/pdns/webserver.cc
@@ -352,12 +352,14 @@ void WebServer::serveConnection(std::shared_ptr<Socket> client) const {
 
   HttpRequest req(logprefix);
   HttpResponse resp;
+  resp.max_response_size=d_maxbodysize;
   ComboAddress remote;
   string reply;
 
   try {
     YaHTTP::AsyncRequestLoader yarl;
     yarl.initialize(&req);
+    req.max_request_size=d_maxbodysize;
     int timeout = 5;
     client->setNonBlocking();
 
@@ -414,7 +416,8 @@ void WebServer::serveConnection(std::shared_ptr<Socket> client) const {
 WebServer::WebServer(const string &listenaddress, int port) :
   d_listenaddress(listenaddress),
   d_port(port),
-  d_server(nullptr)
+  d_server(nullptr),
+  d_maxbodysize(2*1024*1024)
 {
 }
 

diff --git a/pdns/webserver.hh b/pdns/webserver.hh
index d7848847f3aab4dc75ab8a4c8f3d2af247b0bd14..707b0e23c462e889efea6ae3f632ce1a1fbb5506 100644 (file)
--- a/pdns/webserver.hh
+++ b/pdns/webserver.hh
@@ -165,6 +165,10 @@ public:
     d_webserverPassword = password;
   }
 
+  void setMaxBodySize(ssize_t s) { // in megabytes
+    d_maxbodysize = s * 1024 * 1024;
+  }
+
   void setACL(const NetmaskGroup &nmg) {
     d_acl = nmg;
   }
@@ -231,6 +235,8 @@ protected:
   std::string d_webserverPassword;
   void webWrapper(WebServer::HandlerFunction handler, HttpRequest* req, HttpResponse* resp);
 
+  ssize_t d_maxbodysize; // in bytes
+
   NetmaskGroup d_acl;
 
   const string d_logprefix = "[webserver] ";

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 25f980e858e4b4b4522d81247b118bf58f7e916a..e53ac3276caceef11b0b583d86d24b66b111ee97 100644 (file)
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -78,6 +78,8 @@ AuthWebServer::AuthWebServer() :
     acl.toMasks(::arg()["webserver-allow-from"]);
     d_ws->setACL(acl);
 
+    d_ws->setMaxBodySize(::arg().asNum("webserver-max-bodysize"));
+
     d_ws->bind();
   }
 }