From 704fe64434c857e0c24540c15e1e6174d7e94775 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Fri, 16 Jan 2026 15:13:15 +0000 Subject: [PATCH 1/2] [bitreq] Set default max header/status line limits While its hard to say what size body a client wants, HTTP headers and status line should be quite limited and its very easy for a dev to forget to set a reasonable limit. Here we limit the total header size to the same value used in Chrome, which seems like a pretty safe limit, and the status line limit to a quarter of that (which is really absurd for a status line). --- bitreq/src/request.rs | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/bitreq/src/request.rs b/bitreq/src/request.rs index bea06733..65876781 100644 --- a/bitreq/src/request.rs +++ b/bitreq/src/request.rs @@ -117,8 +117,12 @@ impl Request { body: None, timeout: None, pipelining: false, - max_headers_size: None, - max_status_line_len: None, + // Default matches chrome as of 2022-11: + // https://groups.google.com/a/chromium.org/g/chromium-os-discuss/c/in-f59OKYAE/m/uVanwcXkAgAJ + // https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:net/http/http_stream_parser.h;l=164-168;drc=66941d1f0cfe9155b400aef887fe39a403c1f518 + max_headers_size: Some(256 * 1024), + // Probably could be 128 bytes, but set conservatively for good measure. + max_status_line_len: Some(64 * 1024), max_body_size: None, max_redirects: 100, #[cfg(feature = "proxy")] @@ -221,8 +225,7 @@ impl Request { /// /// `None` disables the cap, and may cause the program to use any /// amount of memory if the server responds with a lot of headers - /// (or an infinite amount). The default is None, so setting this - /// manually is recommended when talking to untrusted servers. + /// (or an infinite amount). The default is 256KiB. pub fn with_max_headers_size>>(mut self, max_headers_size: S) -> Request { self.max_headers_size = max_headers_size.into(); self @@ -239,8 +242,7 @@ impl Request { /// /// `None` disables the cap, and may cause the program to use any /// amount of memory if the server responds with a long (or - /// infinite) status line. The default is None, so setting this - /// manually is recommended when talking to untrusted servers. + /// infinite) status line. The default is 64 KiB. pub fn with_max_status_line_length>>( mut self, max_status_line_len: S, From dfa0ce9e0d29c971fd2a804e2abbdfcc2dc92d9d Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Fri, 16 Jan 2026 15:17:02 +0000 Subject: [PATCH 2/2] [bitreq] Set a default max-response limit of 1 GiB Because its very easy to (mis-)use the API and forget to set a response size limit, we really should have a default one. Sadly, its also quite hard to pick a reasonable default here. Rather than being conservative, we pick 1 GiB and hope that this is enough to avoid an OOM, even though its still quite huge, and almost certainly is larger than what people will use `bitreq` for. --- bitreq/src/request.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/bitreq/src/request.rs b/bitreq/src/request.rs index 65876781..7f9b5d53 100644 --- a/bitreq/src/request.rs +++ b/bitreq/src/request.rs @@ -123,7 +123,8 @@ impl Request { max_headers_size: Some(256 * 1024), // Probably could be 128 bytes, but set conservatively for good measure. max_status_line_len: Some(64 * 1024), - max_body_size: None, + // Picked somewhat randomly + max_body_size: Some(1024 * 1024 * 1024), max_redirects: 100, #[cfg(feature = "proxy")] proxy: None, @@ -261,7 +262,10 @@ impl Request { /// /// `None` disables the cap, and may cause the program to use any /// amount of memory if the server responds with a large (or - /// infinite) body. The default is None, so setting this + /// infinite) body. + /// + /// The default is 1 GiB, which is likely to cause an + /// out-of-memory condition in many cases so setting this /// manually is recommended when talking to untrusted servers. pub fn with_max_body_size>>(mut self, max_body_size: S) -> Request { self.max_body_size = max_body_size.into();