From 214b034e99eee03ab9c364fab11921be61942b15 Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Fri, 8 Mar 2019 14:58:22 +0100 Subject: [PATCH] auth web: make max request/response body size configurable --- docs/http-api/index.rst | 1 + pdns/common_startup.cc | 1 + pdns/recursordist/docs/settings.rst | 9 +++++++++ pdns/webserver.cc | 5 ++++- pdns/webserver.hh | 6 ++++++ pdns/ws-auth.cc | 2 ++ 6 files changed, 23 insertions(+), 1 deletion(-) diff --git a/docs/http-api/index.rst b/docs/http-api/index.rst index 55cf9bcc9..0b54204ec 100644 --- a/docs/http-api/index.rst +++ b/docs/http-api/index.rst @@ -19,6 +19,7 @@ The following webserver related configuration items are available: * :ref:`setting-webserver-password`: If set, viewers will have to enter this plaintext password in order to gain access to the statistics, in addition to entering the configured API key on the index page. * :ref:`setting-webserver-port`: Port to bind the webserver to. * :ref:`setting-webserver-allow-from`: Netmasks that are allowed to connect to the webserver +* :ref:`setting-webserver-max-bodysize`: Maximum request/response body size in megabytes Enabling the API ---------------- diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index bd57fc542..f562c2258 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -151,6 +151,7 @@ void declareArguments() ::arg().set("webserver-password","Password required for accessing the webserver")=""; ::arg().set("webserver-allow-from","Webserver/API access is only allowed from these subnets")="127.0.0.1,::1"; ::arg().set("webserver-loglevel", "Amount of logging in the webserver (none, normal, detailed)") = "normal"; + ::arg().set("webserver-max-bodysize","Webserver/API maximum request/response body size in megabytes")="2"; ::arg().setSwitch("do-ipv6-additional-processing", "Do AAAA additional processing")="yes"; ::arg().setSwitch("query-logging","Hint backends that queries should be logged")="no"; diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index a867200c4..17f1b781e 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -1725,6 +1725,15 @@ The value between the hooks is a UUID that is generated for each request. This c .. note:: The webserver logs these line on the NOTICE level. The :ref:`settings-loglevel` seting must be 5 or higher for these lines to end up in the log. +.. _setting-webserver-max-bodysize: + +``webserver-max-bodysize`` +-------------------------- +- Integer +- Default: 2 + +Maximum request/response body size in megabytes. + .. _setting-webserver-password: ``webserver-password`` diff --git a/pdns/webserver.cc b/pdns/webserver.cc index a168559e1..3ec2a265c 100644 --- a/pdns/webserver.cc +++ b/pdns/webserver.cc @@ -344,12 +344,14 @@ void WebServer::serveConnection(std::shared_ptr client) const { HttpRequest req(logprefix); HttpResponse resp; + resp.max_response_size=d_maxbodysize; ComboAddress remote; string reply; try { YaHTTP::AsyncRequestLoader yarl; yarl.initialize(&req); + req.max_request_size=d_maxbodysize; int timeout = 5; client->setNonBlocking(); @@ -406,7 +408,8 @@ void WebServer::serveConnection(std::shared_ptr client) const { WebServer::WebServer(const string &listenaddress, int port) : d_listenaddress(listenaddress), d_port(port), - d_server(nullptr) + d_server(nullptr), + d_maxbodysize(2*1024*1024) { } diff --git a/pdns/webserver.hh b/pdns/webserver.hh index 500f15704..f2c7f7496 100644 --- a/pdns/webserver.hh +++ b/pdns/webserver.hh @@ -171,6 +171,10 @@ public: d_webserverPassword = password; } + void setMaxBodySize(ssize_t s) { // in megabytes + d_maxbodysize = s * 1024 * 1024; + } + void setACL(const NetmaskGroup &nmg) { d_acl = nmg; } @@ -238,6 +242,8 @@ protected: std::string d_webserverPassword; bool d_registerWebHandlerCalled{false}; + ssize_t d_maxbodysize; // in bytes + NetmaskGroup d_acl; const string d_logprefix = "[webserver] "; diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index e3f32a509..57489a251 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -78,6 +78,8 @@ AuthWebServer::AuthWebServer() : acl.toMasks(::arg()["webserver-allow-from"]); d_ws->setACL(acl); + d_ws->setMaxBodySize(::arg().asNum("webserver-max-bodysize")); + d_ws->bind(); } } -- 2.40.0