Is it advisable to (further) limit the size of forms when using golang?

后端 未结 2 1154
攒了一身酷
攒了一身酷 2021-02-12 20:06

I searched around and as far as I can tell, POST form requests are already limited to 10MB (http://golang.org/src/net/http/request.go#L721).

If I were to go about reduc

相关标签:
2条回答
  • 2021-02-12 20:59

    The correct way to limit the size of the request body is to do as you suggested:

    r.Body = http.MaxBytesReader(w, r.Body, MaxFileSize) 
    err := r.ParseForm()
    if err != nil {
     // redirect or set error status code.
     return
    }
    

    MaxBytesReader sets a flag on the response when the limit is reached. When this flag is set, the server does not read the remainder of the request body and the server closes the connection on return from the handler.

    If you are concerned about malicious clients, then you should also set Server.ReadTimeout, Server.WriteTimeout and possibly Server.MaxHeaderBytes.

    If you want to set the request body limit for all of your handlers, then wrap root handler with a handler that sets the limit before delegating to the root handler:

     type maxBytesHandler struct {
         h http.Handler
         n int64
     }
    
     func (h *maxBytesHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
         r.Body = http.MaxBytesReader(w, r.Body, h.n) 
         h.h.ServeHTTP(w, r)
     }
    

    Wrap the root handler when calling ListenAndServe:

    log.Fatal(http.ListenAndServe(":8080", &maxBytesHandler{h:mux, n:4096))
    

    or when configuring a server:

    s := http.Server{
        Addr: ":8080",
        Handler: &maxBytesReader{h:mux, n:4096},
    }
    log.Fatal(s.ListenAndServe())
    

    There's no need for a patch as suggested in another answer. MaxBytesReader is the official way to limit the size of the request body.

    0 讨论(0)
  • 2021-02-12 21:07

    Edit: As others cited MaxByteReader is the supported way. It is interesting that the default reader is instead, limitreader after type asserting for max byte reader.

    Submit a patch to the Go source code and make it configurable! You are working with an open source project after all. Adding a setter to http.Request and some unit tests for it is probably only 20 minutes worth of work. Having a hardcoded value here is a bit clunky, give back and fix it :).

    You can of course implement your own ParseForm(r *http.Request) method if you really need to override this. Go is essentially BSD, so you can copy paste the library ParseForm and change the limit, but thats a bit ugly no?

    0 讨论(0)
提交回复
热议问题