From 10f6fc5141a15e368dac813a38942cb66d5ddef4 Mon Sep 17 00:00:00 2001 From: Garrett D'Amore Date: Sun, 22 Dec 2024 12:18:33 -0800 Subject: HTTP handler: limit host names to 256 bytes (RFC 1035 specifies 253.) This also makes `nng_http_handler_set_host` never fail (API break). --- docs/man/nng_http_handler_set_host.3http.adoc | 15 ++++----------- docs/ref/migrate/nng1.md | 13 ++++++++++++- 2 files changed, 16 insertions(+), 12 deletions(-) (limited to 'docs') diff --git a/docs/man/nng_http_handler_set_host.3http.adoc b/docs/man/nng_http_handler_set_host.3http.adoc index 0deae488..3f25172f 100644 --- a/docs/man/nng_http_handler_set_host.3http.adoc +++ b/docs/man/nng_http_handler_set_host.3http.adoc @@ -1,6 +1,6 @@ = nng_http_handler_set_host(3http) // -// Copyright 2018 Staysail Systems, Inc. +// Copyright 2024 Staysail Systems, Inc. // Copyright 2018 Capitar IT Group BV // // This document is supplied under the terms of the MIT License, a @@ -20,7 +20,7 @@ nng_http_handler_set_host - set host for HTTP handler #include #include -int nng_http_handler_set_host(nng_http_handler *handler, const char *host); +void nng_http_handler_set_host(nng_http_handler *handler, const char *host); ---- == DESCRIPTION @@ -41,15 +41,8 @@ ports, the port number can be elided. The matching test only considers the hostname or IP address, and ignores any trailing port number. -== RETURN VALUES - -This function returns 0 on success, and non-zero otherwise. - -== ERRORS - -[horizontal] -`NNG_ENOMEM`:: Insufficient free memory to perform the operation. -`NNG_ENOTSUP`:: No support for HTTP in the library. +NOTE: This should not be used with an IP address normally, as `Host:` header +is used with virtual hosts in HTTP/1.1, and not supported for HTTP/1.0. == SEE ALSO diff --git a/docs/ref/migrate/nng1.md b/docs/ref/migrate/nng1.md index 8a1af631..544f15b6 100644 --- a/docs/ref/migrate/nng1.md +++ b/docs/ref/migrate/nng1.md @@ -221,8 +221,19 @@ accessors functions are provided: ## HTTP API -- [`nng_http_req_set_method`] no longer returns a value. It never fails, but it may truncate an unreasonably long value. +A few limits on string lengths of certain values are now applied, which allows us to preallocate values +and eliminate certain unreasonable error paths. If values longer than these are supplied in certain APIs +they may be silently truncated to the limit: + +- Hostnames are limited per RFC 1035 to 253 characters (not including terminating "." or zero byte.) +- HTTP Method names are limited to 32 bytes (the longest IANA registered method is currently 18 bytes, used for WebDAV.) +- The fixed part of URI pathnames used with HTTP handlers is limited to 1024 bytes. + +The following API changes are present: + +- [`nng_http_req_set_method`] no longer returns a value, and cannot fail. - [`nng_http_res_set_status`] no longer returns a value, and cannot fail. +- [`nng_http_handler_set_host`] no longer returns a value and cannot fail. ## Security Descriptors (Windows Only) -- cgit v1.2.3-70-g09d2