Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Send 431 when HTTP/2&3 headers are too large or many #44668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Oct 27, 2022
Merged

Send 431 when HTTP/2&3 headers are too large or many #44668

merged 5 commits into from
Oct 27, 2022

Conversation

Tratcher
Copy link
Member

@Tratcher Tratcher commented Oct 20, 2022
edited
Loading

When HTTP/2 hits a header related limit (total size or count) it aborts the connection because HPACK is stateful and failing to process the rest of the headers in a request could corrupt the connection HPACK state. HTTP/3 copied this model.

To avoid this we'll allow up to 2x of the limits while processing the headers, but then enforce the hard limits later when we can send a 431.

@Tratcher Tratcher added this to the 8.0-preview1 milestone Oct 20, 2022
@Tratcher Tratcher requested a review from halter73 as a code owner October 20, 2022 23:44
@Tratcher Tratcher self-assigned this Oct 20, 2022
@Tratcher Tratcher mentioned this pull request Oct 21, 2022
Merged
halter73
halter73 reviewed Oct 24, 2022
View reviewed changes
@MihaZupan
Copy link
Member

To avoid this we'll allow up to 2x of the limits while processing the headers, but then enforce the hard limits later when we can send a 431.

Would it be possible to skip enforcing the header count limit while receiving, and only enforce the exact value afterwards?

@Tratcher Tratcher requested a review from halter73 October 25, 2022 22:26
@Tratcher
Copy link
Member Author

To avoid this we'll allow up to 2x of the limits while processing the headers, but then enforce the hard limits later when we can send a 431.

Would it be possible to skip enforcing the header count limit while receiving, and only enforce the exact value afterwards?

We'd rather not, that significantly reduces the effectiveness of the limit.

@build-analysis build-analysis bot mentioned this pull request Oct 26, 2022
Closed
2 tasks
@Tratcher Tratcher merged commit 90802f2 into dotnet:main Oct 27, 2022
@Tratcher Tratcher deleted the tratcher/longheaders branch October 27, 2022 15:30
This was referenced Oct 27, 2022
Closed
Closed
@Tratcher
Copy link
Member Author

/backport to release/7.0

@github-actions
Copy link
Contributor

Started backporting to release/7.0: https://github.com/dotnet/aspnetcore/actions/runs/3339111224

@github-actions github-actions bot mentioned this pull request Oct 27, 2022
Merged
10 tasks
@Tratcher Tratcher mentioned this pull request Oct 27, 2022
Merged
10 tasks
@MihaZupan MihaZupan mentioned this pull request Dec 6, 2022
Merged
@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Jun 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JamesNK JamesNK JamesNK left review comments

@MihaZupan MihaZupan MihaZupan left review comments

@halter73 halter73 halter73 approved these changes

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy BrennanConroy is a code owner

Assignees

@Tratcher Tratcher

Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Projects
None yet
Milestone
8.0-preview1
Development

Successfully merging this pull request may close these issues.
5 participants
@Tratcher @MihaZupan @halter73 @JamesNK @amcasey