From 4a8cbcd8f05c2e6e2eac403651bdce1787036623 Mon Sep 17 00:00:00 2001 From: Martin Zimmermann Date: Sat, 9 Aug 2014 20:55:02 +0200 Subject: [PATCH] limit request size, closes #107 --- isso/utils/__init__.py | 4 +++- isso/views/comments.py | 3 +++ isso/wsgi.py | 9 +++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/isso/utils/__init__.py b/isso/utils/__init__.py index 1dfb517..924e9a1 100644 --- a/isso/utils/__init__.py +++ b/isso/utils/__init__.py @@ -8,9 +8,11 @@ werkzeug = pkg_resources.get_distribution("werkzeug") import json import hashlib -from werkzeug.wrappers import Request, Response +from werkzeug.wrappers import Response from werkzeug.exceptions import BadRequest +from isso.wsgi import Request + try: import ipaddress except ImportError: diff --git a/isso/views/comments.py b/isso/views/comments.py index 04910b7..5008d27 100644 --- a/isso/views/comments.py +++ b/isso/views/comments.py @@ -142,6 +142,9 @@ class API(object): if len(comment["text"].rstrip()) < 3: return False, "text is too short (minimum length: 3)" + if len(comment["text"]) > 65535: + return False, "text is too long (maximum length: 65535)" + if len(comment.get("email") or "") > 254: return False, "http://tools.ietf.org/html/rfc5321#section-4.5.3" diff --git a/isso/wsgi.py b/isso/wsgi.py index a2753f9..50214f3 100644 --- a/isso/wsgi.py +++ b/isso/wsgi.py @@ -17,6 +17,7 @@ except ImportError: from BaseHTTPServer import HTTPServer from werkzeug.serving import WSGIRequestHandler +from werkzeug.wrappers import Request as _Request from werkzeug.datastructures import Headers from isso.compat import string_types @@ -148,6 +149,14 @@ class CORSMiddleware(object): return self.app(environ, add_cors_headers) +class Request(_Request): + + # Assuming UTF-8, comments with 65536 characters would consume + # 128 kb memory. The remaining 128 kb cover additional parameters + # and WSGI headers. + max_content_length = 256 * 1024 + + class SocketWSGIRequestHandler(WSGIRequestHandler): def run_wsgi(self):