HTTP handler: limit host names to 256 bytes (RFC 1035 specifies 253.)

This also makes `nng_http_handler_set_host` never fail (API break).

1 files changed, 12 insertions, 1 deletions

diff --git a/docs/ref/migrate/nng1.md b/docs/ref/migrate/nng1.md
index 8a1af631..544f15b6 100644
--- a/docs/ref/migrate/nng1.md
+++ b/docs/ref/migrate/nng1.md
@@ -221,8 +221,19 @@ accessors functions are provided:
 
 ## HTTP API
 
-- [`nng_http_req_set_method`] no longer returns a value. It never fails, but it may truncate an unreasonably long value.
+A few limits on string lengths of certain values are now applied, which allows us to preallocate values
+and eliminate certain unreasonable error paths. If values longer than these are supplied in certain APIs
+they may be silently truncated to the limit:
+
+- Hostnames are limited per RFC 1035 to 253 characters (not including terminating "." or zero byte.)
+- HTTP Method names are limited to 32 bytes (the longest IANA registered method is currently 18 bytes, used for WebDAV.)
+- The fixed part of URI pathnames used with HTTP handlers is limited to 1024 bytes.
+
+The following API changes are present:
+
+- [`nng_http_req_set_method`] no longer returns a value, and cannot fail.
 - [`nng_http_res_set_status`] no longer returns a value, and cannot fail.
+- [`nng_http_handler_set_host`] no longer returns a value and cannot fail.
 
 ## Security Descriptors (Windows Only)