root/golib
1
0
Fork 0
mirror of https://github.com/therootcompany/golib.git synced 2026-04-24 20:58:00 +00:00
Code Issues Projects Releases Wiki Activity

fix(formmailer): cap request body with MaxBytesReader

Browse Source 
ParseMultipartForm(maxFormSize) caps post-header bytes but doesn't
bound the raw body transfer, so a slow/chunked POST can burn server
time before rejection. Wrap r.Body in http.MaxBytesReader so the
transport cuts off over-size bodies immediately.
This commit is contained in:
AJ ONeal 2026-04-20 20:02:41 -06:00
parent b77872623a
commit 06e6cfa211
No known key found for this signature in database
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
net/formmailer/formmailer.go
View File

@ -208,6 +208,7 @@ func (fm *FormMailer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return return
} }
r.Body = http.MaxBytesReader(w, r.Body, maxFormSize)
if err := r.ParseMultipartForm(maxFormSize); err != nil { if err := r.ParseMultipartForm(maxFormSize); err != nil {
http.Error(w, "form too large or invalid", http.StatusBadRequest) http.Error(w, "form too large or invalid", http.StatusBadRequest)
return return