Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rpcserver: Impose additional read limits. #2675

Merged
merged 2 commits into from
Jul 5, 2021
Merged

rpcserver: Impose additional read limits. #2675

merged 2 commits into from
Jul 5, 2021

Conversation

davecgh
Copy link
Member

@davecgh davecgh commented Jun 30, 2021

This imposes additional per-connection read limits on the RPC server to help further harden it against potential abuse in non-standard configurations on poorly-configured networks.

In practice, these changes will not have any noticeable effect for the vast majority of nodes since the RPC server is not publicly accessible by default and requires authentication.

Nevertheless, it can still be useful to apply additional read limits for scenarios such as authenticated fuzz testing and poorly-configured networks that have disabled all other security measures.

The following are the updated per-connection limits:

  • 0 B / 8 MiB for pre and post auth HTTP connections
  • 4 KiB / 16 MiB for pre and post auth websocket connections

@davecgh
rpcserver: Impose additional read limits.
611e50a 
This imposes additional per-connection read limits on the RPC server to
help further harden it against potential abuse in non-standard
configurations on poorly-configured networks.

In practice, these changes will not have any noticeable effect for the
vast majority of nodes since the RPC server is not publicly accessible
by default and requires authentication.

Nevertheless, it can still be useful to apply additional read limits for
scenarios such as authenticated fuzz testing and poorly-configured
networks that have disabled all other security measures.

The following are the updated per-connection limits:

- 0 B / 8 MiB for pre and post auth HTTP connections
- 4 KiB / 16 MiB for pre and post auth websocket connections
@davecgh
docs: Update JSON-RPC API for max request limits.
2e8efe1
@davecgh davecgh added this to the 1.7.0 milestone Jun 30, 2021
chappjc
chappjc approved these changes Jun 30, 2021
View reviewed changes
Copy link
Member

@chappjc chappjc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks right.

degeri
degeri reviewed Jun 30, 2021
View reviewed changes
Copy link
Member

@degeri degeri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested all limits. Works 👍

@davecgh davecgh merged commit 2e8efe1 into decred:master Jul 5, 2021
@davecgh davecgh deleted the rpcserver_read_limits branch July 5, 2021 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@degeri degeri degeri left review comments

@dnldd dnldd dnldd approved these changes

@jrick jrick jrick approved these changes

@rstaudt2 rstaudt2 rstaudt2 approved these changes

@chappjc chappjc chappjc approved these changes

@JoeGruffins JoeGruffins JoeGruffins approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.7.0
Development

Successfully merging this pull request may close these issues.
7 participants
@davecgh @dnldd @jrick @rstaudt2 @chappjc @JoeGruffins @degeri