>Synopsis: max request body ignored on non-default servers
>Category: httpd
>Environment:
System : OpenBSD 5.6
Details : OpenBSD 5.6-current (GENERIC.MP) #4: Wed Nov 26 17:27:32
EST 2014
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
The "max request body" is not effective on any server{} definition except
the "default" one. I would expect the following config snippet to set the
max request body to 10MB on the "foobar" server but httpd ignores the
instruction.
>How-To-Repeat:
server "default" {
listen on 127.0.0.1 port 80
root "/htdocs/default"
}
server "foobar" {
listen on 127.0.0.1 port 80
root "/htdocs/foobar"
connection { max request body 10485760 }
}
>Fix:
From what I understand, this occurs because we do not have access to the
server-specific config struct at this point, only the default. httpd looks
up the server configuration in server_response(), after the body is in
memory.
Moving the size check from server_read_http() to server_response() would
cause the server to read the entire request before checking the
Content-Length, creating other issues. However, moving the server config
lookup right after the headers are parsed would allow for a fix and also
give more configuration flexibility down the line, does it sound like a
good idea?
