Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Large URI requests return a 400 Bad Request (should be 414) #3898

Closed
RMHonor opened this issue Feb 25, 2019 · 4 comments
Closed

Large URI requests return a 400 Bad Request (should be 414) #3898

RMHonor opened this issue Feb 25, 2019 · 4 comments

Comments

@RMHonor
Copy link

RMHonor commented Feb 25, 2019

Performing a GET request with a URI too long (as specified in https://github.com/nodejs/http-parser/blob/master/http_parser.h#L55) throws a 400 Bad Request error. This should be a 414 URI Too Long.

app.get('/test', (_, res) => res.sendStatus(200)

curl https://localhost:11000/test?q=query*8000 // 400 error
@dougwilson
Copy link
Contributor

dougwilson commented Feb 25, 2019
edited
Loading

Hi, thanks for the report! Looks like it is the Node.js HTTP server itself that is doing this, so you'll likely have to file an issue at https://github.com/nodejs/node/issues . When it makes this 400, it doesn't even pass the request to Express.js at all, so Express does not have an opportunity to handle it.

Here is an example using the Node.js HTTP server:

$ node -e 'require("http").createServer((req, res) => console.log(req.url)).listen(4000)' &
[1] 7999
$ curl -i "http://localhost:4000/test?q=$(for i in `seq 1 8000`; do echo -n query; done)"
HTTP/1.1 400 Bad Request

@dougwilson
Copy link
Contributor

For anyone who comes by, here is the link to the related Node.js issue: nodejs/node#26296

@caiolrm caiolrm mentioned this issue Mar 9, 2019
Closed
4 tasks
caiolrm added a commit to caiolrm/node that referenced this issue Mar 10, 2019
@caiolrm
http: create an option for setting a maximum size for uri parsing
45fa652 
The http server wasn't able to tell exactly what caused an
HPE_HEADER_OVERFLOW, meaning it would yield a 431 error even if what
caused it was the request URI being too long.

This adds a limit to the URI sizes through a new option called
max-http-uri-size, which will be checked against the actual URIs
after on_url callback at the node_http_parser_impl file.

Fixes: nodejs#26296
Refs: expressjs/express#3898
@oshihirii
Copy link

hello, can anyone please help me understand why the examples above use strings of 8,000 bytes to exceed max limit, whereas the limit in the code referenced seems to be 80,000 bytes? i am trying to understand what the max limit is, i am on Node v10.16.0 and getting 400's with query string of 15,200 bytes. thank you.

@dougwilson
Copy link
Contributor

This is a Node.js issue. You'll want to post your question in the linked issue above.

@expressjs expressjs locked and limited conversation to collaborators Jul 22, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dougwilson @oshihirii @RMHonor