Limit the total size of response headers

hsbt · mame · nobu · hsbt · commit ebe8f3876f6c · 2026-06-10T12:10:00.000+09:00
each_response_header read header lines until the blank separator with no
bound on their total size, so a server could exhaust client memory by
sending a large header block. Cap the cumulative size at 1 MiB and raise
Net::HTTPBadResponse once it is exceeded.

Co-authored-by: Yusuke Endoh &lt;mame@ruby-lang.org&gt;
Co-authored-by: Nobuyoshi Nakada &lt;nobu@ruby-lang.org&gt;
Co-Authored-By: Claude Fable 5 &lt;noreply@anthropic.com&gt;
diff --git a/lib/net/http/response.rb b/lib/net/http/response.rb
@@ -133,6 +133,9 @@
 # there is a protocol error.
 #
 class Net::HTTPResponse
+  # The maximum total size in bytes of the response header.
+  MAX_RESPONSE_HEADER_LENGTH = 1024 * 1024 # 1 MiB
+
   class << self
     # true if the response has a body.
     def body_permitted?
@@ -170,8 +173,12 @@ def response_class(code)
 
     def each_response_header(sock)
       key = value = nil
+      remaining = MAX_RESPONSE_HEADER_LENGTH
       while true
-        line = sock.readuntil("\n", true).sub(/\s+\z/, '')
+        line = sock.readuntil("\n", true)
+        remaining -= line.bytesize
+        raise Net::HTTPBadResponse, 'response header too large' if remaining < 0
+        line = line.sub(/\s+\z/, '')
         break if line.empty?
         if line[0] == ?\s or line[0] == ?\t and value
           value << ' ' unless value.empty?
diff --git a/test/net/http/test_httpresponse.rb b/test/net/http/test_httpresponse.rb
@@ -18,6 +18,30 @@ def test_singleline_header
     assert_equal('close', res['connection'])
   end
 
+  def test_response_header_too_large
+    big_value = 'a' * (Net::HTTPHeader::MAX_FIELD_LENGTH - 100)
+    count = (Net::HTTPResponse::MAX_RESPONSE_HEADER_LENGTH / big_value.bytesize) + 2
+    headers = +"HTTP/1.1 200 OK\n"
+    count.times { |i| headers << "X-Pad-#{i}: #{big_value}\n" }
+    headers << "\nhello\n"
+    io = dummy_io(headers)
+    assert_raise(Net::HTTPBadResponse) do
+      Net::HTTPResponse.read_new(io)
+    end
+  end
+
+  def test_response_header_within_limit
+    big_value = 'a' * (Net::HTTPHeader::MAX_FIELD_LENGTH - 100)
+    count = (Net::HTTPResponse::MAX_RESPONSE_HEADER_LENGTH / big_value.bytesize) - 1
+    headers = +"HTTP/1.1 200 OK\n"
+    count.times { |i| headers << "X-Pad-#{i}: #{big_value}\n" }
+    headers << "\nhello\n"
+    io = dummy_io(headers)
+    assert_nothing_raised do
+      Net::HTTPResponse.read_new(io)
+    end
+  end
+
   def test_multiline_header
     io = dummy_io(<<EOS)
 HTTP/1.1 200 OK
