Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double amount of headers allowed #136

Closed
jrconlin opened this issue Apr 6, 2020 · 2 comments · Fixed by #138
Closed

Double amount of headers allowed #136

jrconlin opened this issue Apr 6, 2020 · 2 comments · Fixed by #138
Assignees
@jrconlin
Labels
1 Estimate - Trivial p1

Comments

@jrconlin
Copy link
Member

jrconlin commented Apr 6, 2020

See https://bugzilla.mozilla.org/show_bug.cgi?id=1623400

We currently limit to 16 headers, which is insufficient for expected demands, particularly with increased numbers of "Sec-*" headers being provided by nightly.

Current header list may include:

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
Cache-Control: no-cache
Connection: keep-alive, Upgrade
Host: push.services.mozilla.com
Origin: wss://push.services.mozilla.com/
Pragma: no-cache
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: cross-site
Sec-WebSocket-Extensions: permessage-deflate
Sec-WebSocket-Key: eyGFCl0x3LtrfBzjknmISg==
Sec-WebSocket-Protocol: push-notification
Sec-WebSocket-Version: 13
Upgrade: websocket
User-Agent: Mozilla/5.0 ...

Note: this will return a Severity: 7 error "Fields":{"msg":"127.0.0.1:46460: too many headers"}. I suspect this is not being logged. We may wish to increase visibility of this error in the future.
@jrconlin jrconlin added p1 1 Estimate - Trivial labels Apr 6, 2020
@jrconlin jrconlin self-assigned this Apr 6, 2020
jrconlin added a commit that referenced this issue Apr 6, 2020
@jrconlin
bug: double amount of allowed headers
6703381 
Increasing number of security headers pushed the total over the very
limited 16

Closes #136
@jrconlin
Copy link
Member Author

jrconlin commented Apr 7, 2020

argh.

So, cargo audit has identified a vuln with hyper. so we're now blocked by #133

@fzzzy
Copy link

fzzzy commented Apr 7, 2020

Can we tell cargo audit to ignore it somehow, and get this fixed before updating hyper? I'll get our hyper updated asap, but we shouldn't block this bug on it.

jrconlin added a commit that referenced this issue Apr 8, 2020
@jrconlin
bug: increase the number of headers the server accepts.
5bbc81a 
Closes #136
@jrconlin jrconlin mentioned this issue Apr 10, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jrconlin jrconlin

Labels
1 Estimate - Trivial p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bug/136 mozilla-services/autopush-rs
2 participants
@jrconlin @fzzzy