std::getline() in rpcprotocol.cpp should be replaced by an alternative with a length limit #6425

1. 
   SergioDemianLerner commented at 8:12 pm on July 12, 2015: contributor

   By using the unbounded getline() RPC/REST clients are able to (slowly) fill server heap address space until core dump. Also limiting line length protects attacks on further processing on the URI by REST methods. The HTTP/1.1 standard seems to limit it to 8000 bytes, although any number < 32 Mb could be used in bitcoind. See http://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers
2. 
   lontivero commented at 9:58 pm on July 12, 2015: contributor

   8kb limit has been chosen as a de-facto limit by many web servers (and web clients too) but it isn’t standard. Having said this, you are right and even more important for the unathenticated rest client.
3. 
   jonasschnelli commented at 9:39 am on July 13, 2015: contributor

   Agreed with @SergioDemianLerner. I would say it’s not worth touching/re-checking this until https://github.com/bitcoin/bitcoin/pull/5677/files is merged.
4. 
   laanwj commented at 11:46 am on July 13, 2015: member

   evhttp allows setting the maximum size of method+URI+headers with evhttp_connection_set_max_headers_size, we should definitely use that after #5677.
5. laanwj added the label Priority Low on Jul 13, 2015
6. laanwj added the label RPC on Jul 13, 2015
7. laanwj added the label REST on Jul 13, 2015
8. laanwj referenced this in commit 12eb6690a8 on Oct 20, 2015
9. laanwj referenced this in commit 3ae69defb6 on Oct 20, 2015
10. laanwj referenced this in commit 41db8c4733 on Oct 20, 2015
11. laanwj closed this on Oct 21, 2015

    ---

12. lateminer referenced this in commit d57bd81ce6 on Oct 18, 2018
13. MarcoFalke locked this on Sep 8, 2021

Contributors
SergioDemianLerner lontivero jonasschnelli laanwj

Labels
RPC/REST/ZMQ