From 10f6fc5141a15e368dac813a38942cb66d5ddef4 Mon Sep 17 00:00:00 2001
From: Garrett D'Amore <garrett@damore.org>
Date: Sun, 22 Dec 2024 12:18:33 -0800
Subject: HTTP handler: limit host names to 256 bytes (RFC 1035 specifies 253.)

This also makes `nng_http_handler_set_host` never fail (API break).
---
 docs/ref/migrate/nng1.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'docs/ref')

diff --git a/docs/ref/migrate/nng1.md b/docs/ref/migrate/nng1.md
index 8a1af631..544f15b6 100644
--- a/docs/ref/migrate/nng1.md
+++ b/docs/ref/migrate/nng1.md
@@ -221,8 +221,19 @@ accessors functions are provided:
 
 ## HTTP API
 
-- [`nng_http_req_set_method`] no longer returns a value. It never fails, but it may truncate an unreasonably long value.
+A few limits on string lengths of certain values are now applied, which allows us to preallocate values
+and eliminate certain unreasonable error paths. If values longer than these are supplied in certain APIs
+they may be silently truncated to the limit:
+
+- Hostnames are limited per RFC 1035 to 253 characters (not including terminating "." or zero byte.)
+- HTTP Method names are limited to 32 bytes (the longest IANA registered method is currently 18 bytes, used for WebDAV.)
+- The fixed part of URI pathnames used with HTTP handlers is limited to 1024 bytes.
+
+The following API changes are present:
+
+- [`nng_http_req_set_method`] no longer returns a value, and cannot fail.
 - [`nng_http_res_set_status`] no longer returns a value, and cannot fail.
+- [`nng_http_handler_set_host`] no longer returns a value and cannot fail.
 
 ## Security Descriptors (Windows Only)
 
-- 
cgit v1.2.3-70-g09d2