diff options
author | Fedor Indutny <fedor.indutny@gmail.com> | 2012-01-16 01:45:31 +0600 |
---|---|---|
committer | Fedor Indutny <fedor.indutny@gmail.com> | 2012-01-16 02:45:05 +0600 |
commit | 8a98c2f1d81cabb6594dc388789d60d2f3f67c09 (patch) | |
tree | 2c07a8026b7e28255e399d2f04707f2f4eaad949 /lib/querystring.js | |
parent | 93465d30511db82d0f759905d0cde52c8d5ea53e (diff) | |
download | android-node-v8-8a98c2f1d81cabb6594dc388789d60d2f3f67c09.tar.gz android-node-v8-8a98c2f1d81cabb6594dc388789d60d2f3f67c09.tar.bz2 android-node-v8-8a98c2f1d81cabb6594dc388789d60d2f3f67c09.zip |
http, querystring: added limits to prevent DoS
Diffstat (limited to 'lib/querystring.js')
-rw-r--r-- | lib/querystring.js | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/lib/querystring.js b/lib/querystring.js index 58b90250c4..f2038f5b21 100644 --- a/lib/querystring.js +++ b/lib/querystring.js @@ -160,16 +160,24 @@ QueryString.stringify = QueryString.encode = function(obj, sep, eq, name) { }; // Parse a key=val string. -QueryString.parse = QueryString.decode = function(qs, sep, eq) { +QueryString.parse = QueryString.decode = function(qs, sep, eq, options) { sep = sep || '&'; eq = eq || '='; - var obj = {}; + var obj = {}, + maxKeys = options && options.maxKeys || 1000; if (typeof qs !== 'string' || qs.length === 0) { return obj; } - qs.split(sep).forEach(function(kvp) { + qs = qs.split(sep); + + // maxKeys <= 0 means that we should not limit keys count + if (maxKeys > 0) { + qs = qs.slice(0, maxKeys); + } + + qs.forEach(function(kvp) { var x = kvp.split(eq); var k = QueryString.unescape(x[0], true); var v = QueryString.unescape(x.slice(1).join(eq), true); |