As discussed in https://nowotarski.info/http-chunk-extensions/, HTTP chunked encoding can have large amount of overhead. When mounting a denial-of-service attack, an attacker might use HTTP requests that contain such chunks.
picohttpparser is immune to such attacks; it does not consume excess memory due to this type of attack. The processing speed of such chunks is much faster (e.g., ~500MB on modern CPU core) than the processing of HTTP requests in general.
Considering these aspects, we do not consider this as a vulnerability.
Nonetheless, it is always good to detect and reject these kind of attacks; hence the PR.
With this PR, picohttpparser rejects HTTP payload using chunked encoding with the following properties:
total size is larger than 100KB, and
cumulative size of chunk headers consists more than 80% of the total size.
As discussed in https://nowotarski.info/http-chunk-extensions/, HTTP chunked encoding can have large amount of overhead. When mounting a denial-of-service attack, an attacker might use HTTP requests that contain such chunks.
picohttpparser is immune to such attacks; it does not consume excess memory due to this type of attack. The processing speed of such chunks is much faster (e.g., ~500MB on modern CPU core) than the processing of HTTP requests in general.
Considering these aspects, we do not consider this as a vulnerability.
Nonetheless, it is always good to detect and reject these kind of attacks; hence the PR.
With this PR, picohttpparser rejects HTTP payload using chunked encoding with the following properties:
The issue was reported by Bartek Nowotarski.