QHttpHeaderParser: Allow larger fields but restrict total size

Our limit of 8k for a single header field was too small for certain
services which returned Location values or WWW-Authenticate challenges
longer than 8k.

Instead, taking inspiration from Chromium, we have a limit of 250k for
the full header itself. And increasing our field limit to 100k, which
would occupy almost half of what the total header allows.

Also took the opportunity to make it adjustable from the outside so we
can set more strict limits in other components.

Fixes: QTBUG-104132
Pick-to: 6.3 6.4
Change-Id: Ibbe139445e79baaef30829cfbc9a59f884e96293
Reviewed-by: Ievgenii Meshcheriakov <ievgenii.meshcheriakov@qt.io>

2 files changed, 40 insertions, 11 deletions

diff --git a/src/network/access/qhttpheaderparser.cpp b/src/network/access/qhttpheaderparser.cpp
index 345f548c51..8ed5592712 100644
--- a/src/network/access/qhttpheaderparser.cpp
+++ b/src/network/access/qhttpheaderparser.cpp
@@ -1,4 +1,4 @@
-// Copyright (C) 2021 The Qt Company Ltd.
+// Copyright (C) 2022 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 
 #include "qhttpheaderparser_p.h"
@@ -7,12 +7,6 @@
 
 QT_BEGIN_NAMESPACE
 
-// both constants are taken from the default settings of Apache
-// see: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize and
-// http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields
-static const int MAX_HEADER_FIELD_SIZE = 8 * 1024;
-static const int MAX_HEADER_FIELDS = 100;
-
 QHttpHeaderParser::QHttpHeaderParser()
     : statusCode(100) // Required by tst_QHttpNetworkConnection::ignoresslerror(failure)
     , majorVersion(0)
@@ -55,19 +49,22 @@ bool QHttpHeaderParser::parseHeaders(QByteArrayView header)
     while (int tail = header.endsWith("\n\r\n") ? 2 : header.endsWith("\n\n") ? 1 : 0)
         header.chop(tail);
 
+    if (header.size() - (header.endsWith("\r\n") ? 2 : 1) > maxTotalSize)
+        return false;
+
     QList<QPair<QByteArray, QByteArray>> result;
     while (header.size()) {
         const int colon = header.indexOf(':');
         if (colon == -1) // if no colon check if empty headers
             return result.size() == 0 && (header == "\n" || header == "\r\n");
-        if (result.size() >= MAX_HEADER_FIELDS)
+        if (result.size() >= maxFieldCount)
             return false;
         QByteArrayView name = header.first(colon);
         if (!fieldNameCheck(name))
             return false;
         header = header.sliced(colon + 1);
         QByteArray value;
-        int valueSpace = MAX_HEADER_FIELD_SIZE - name.size() - 1;
+        qsizetype valueSpace = maxFieldSize - name.size() - 1;
         do {
             const int endLine = header.indexOf('\n');
             Q_ASSERT(endLine != -1);
@@ -84,7 +81,7 @@ bool QHttpHeaderParser::parseHeaders(QByteArrayView header)
             }
             header = header.sliced(endLine + 1);
         } while (hSpaceStart(header));
-        Q_ASSERT(name.size() + 1 + value.size() <= MAX_HEADER_FIELD_SIZE);
+        Q_ASSERT(name.size() + 1 + value.size() <= maxFieldSize);
         result.append(qMakePair(name.toByteArray(), value));
     }
 
diff --git a/src/network/access/qhttpheaderparser_p.h b/src/network/access/qhttpheaderparser_p.h
index 7b70b174bf..9b149570e0 100644
--- a/src/network/access/qhttpheaderparser_p.h
+++ b/src/network/access/qhttpheaderparser_p.h
@@ -1,4 +1,4 @@
-// Copyright (C) 2021 The Qt Company Ltd.
+// Copyright (C) 2022 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 
 #ifndef QHTTPHEADERPARSER_H
@@ -24,6 +24,25 @@
 
 QT_BEGIN_NAMESPACE
 
+namespace HeaderConstants {
+
+// We previously used 8K, which is common on server side, but it turned out to
+// not be enough for various uses. Historically Firefox used 10K as the limit of
+// a single field, but some Location headers and Authorization challenges can
+// get even longer. Other browsers, such as Chrome, instead have a limit on the
+// total size of all the headers (as well as extra limits on some of the
+// individual fields). We'll use 100K as our default limit, which would be a ridiculously large
+// header, with the possibility to override it where we need to.
+static constexpr int MAX_HEADER_FIELD_SIZE = 100 * 1024;
+// Taken from http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields
+static constexpr int MAX_HEADER_FIELDS = 100;
+// Chromium has a limit on the total size of the header set to 256KB,
+// which is a reasonable default for QNetworkAccessManager.
+// https://stackoverflow.com/a/3436155
+static constexpr int MAX_TOTAL_HEADER_SIZE = 256 * 1024;
+
+}
+
 class Q_NETWORK_PRIVATE_EXPORT QHttpHeaderParser
 {
 public:
@@ -54,12 +73,25 @@ public:
     void removeHeaderField(const QByteArray &name);
     void clearHeaders();
 
+    void setMaxHeaderFieldSize(qsizetype size) { maxFieldSize = size; }
+    qsizetype maxHeaderFieldSize() const { return maxFieldSize; }
+
+    void setMaxTotalHeaderSize(qsizetype size) { maxTotalSize = size; }
+    qsizetype maxTotalHeaderSize() const { return maxTotalSize; }
+
+    void setMaxHeaderFields(qsizetype count) { maxFieldCount = count; }
+    qsizetype maxHeaderFields() const { return maxFieldCount; }
+
 private:
     QList<QPair<QByteArray, QByteArray> > fields;
     QString reasonPhrase;
     int statusCode;
     int majorVersion;
     int minorVersion;
+
+    qsizetype maxFieldSize = HeaderConstants::MAX_HEADER_FIELD_SIZE;
+    qsizetype maxTotalSize = HeaderConstants::MAX_TOTAL_HEADER_SIZE;
+    qsizetype maxFieldCount = HeaderConstants::MAX_HEADER_FIELDS;
 };