httpd: uri length

Mon Sep 5 10:40:46 UTC 2005

On Monday 05 September 2005 01:15, Larry Doolittle wrote:
> > I dunno about protecting against denial of service attacks that force an
> > out of memory condition with a 10 megabyte URL, but if we'd be putting in
> > the limit for the sake of alloca(), that isn't a good trade-off to me...
>
> Boa (another web server) takes DOS attacks very seriously.
> It sets hard limits (compile time constants) on total request
> length, and a few other important buffer sizes.   Specifically:
>
> #define CLIENT_STREAM_SIZE                      8192
> #define BUFFER_SIZE                             4096
> #define MAX_HEADER_LENGTH                       1024

I don't have a major problem with any of that, especially since run-time 
memory usage is something we care about.

Rob