Feature Request: Limiting Incoming Stream Size in TIdHTTPServer about indy HOT 7 OPEN

There are two different ways you can handle this in the current version:

• use the OnHeadersAvailable event to check the client's Content-Length request header, and if it is too large then set the VContinueProcessing parameter to False, and optionally use the OnHeadersBlocked event to customize the response if desired, ie by setting the VResponseNo parameter to 413 (Content Too Large). By default, it is 403 (Forbidden). Note that this approach will not work for "chunked" requests.

• use the OnCreatePostStream event to provide your own custom TStream object to receive the client's data (by default, a TMemoryStream is used). You can also look at the client's request headers in this event, too. If the Content-Length header is too large, or if too much data gets written to the stream, then you can raise an exception to terminate the request.

from indy.

Thank you very much! I will check this and get back to you.

from indy.

Hi @rlebeau.

I've checked the OnHeadersAvailable and OnHeadersBlocked approach.
This worked so far as I can check the headers and disrupt the communication if needed.

If I set VContinueProcessing to false the event OnHeadersBlocked is fired and I can set the VResponseNo etc. Unfortunately this information doesn't reach the calling client. I used postman for my test and there I only get "Could not get response" and "aborted".

Do I have to "send" the response in some way?

Thx!

from indy.

No, the response is sent automatically after the event handlers return, as you can see in the source code:

  function HeadersCanContinue: Boolean;
  var
    LResponseNo: Integer;
    LResponseText, LContentText, S: String;
  begin
    // let the user decide if the request headers are acceptable
    // TODO pass the whole LRequestInfo object so the user has access
    // to the request method, too...
    Result := DoHeadersAvailable(AContext, LRequestInfo.URI, LRequestInfo.RawHeaders); // <-- FIRES THE OnHeadersAvailable EVENT
    if not Result then begin
      DoHeadersBlocked(AContext, LRequestInfo.RawHeaders, LResponseNo, LResponseText, LContentText); // <-- FIRES THE OnHeadersBlocked EVENT
      LResponseInfo.ResponseNo := LResponseNo;
      if Length(LResponseText) > 0 then begin
        LResponseInfo.ResponseText := LResponseText;
      end; 
      LResponseInfo.ContentText := LContentText;
      LResponseInfo.CharSet := 'utf-8'; {Do not localize}
      LResponseInfo.CloseConnection := True;
      LResponseInfo.WriteHeader; // <-- SENDS THE RESPONSE STATUS AND HEADERS
      if Length(LContentText) > 0 then begin
        LResponseInfo.WriteContent; // <-- SENDS THE RESPONSE BODY
      end;
      Exit;
    end;
    ...
  end;

from indy.

You are right. I tested it with Chrome and there I get the correct return code. Thank you very much.

from indy.

The limitation with the custom Stream and OnCreatePostStream also works great!
Do you know the normal chunk size that is written at once with http 1.1?

from indy.

There is no "normal chunk size" in HTTP. If the client or server sends a chunked message, each chunk specifies its own size, so it can be whatever size the sender wants.

In this case, depending on buffering, the size written to the PostStream may not always be a full chunk at a time, it may be pieces of a chunk. The only requirement is that pieces are written to the PostStream in the correct order.

from indy.