Hello,
On Wed, Oct 18, 2023 at 11:31:30AM -0700, Jerry Scharf (he/him/his) wrote:
> We use haproxy for https termination for one of our services. We are trying
> to upgrade to late model haproxy, but have run into a problem. In old
> haproxy versions, it allowed 1k header names and we told our customers
> that.
Ouch! The joys of announcing technical limits to customers instead of
acceptable ones :-/
> In modern versions, it is checked and limited to 254.
Possibly, I would have said something between 64 and 255.
> I saw that this check was in response to a CVE. If I understand the issue,
> it was that it was only 255 that produced the problem, not all lengths
> beyond 255. Is this a correct assessment?
I don't have any such memories, if you had a link to the commit in
question I could possibly confirm based on the info there. But anyway
at such lengths, 254 or 255 are both considered totally unreasonable.
> Are there any ways around this that I haven't found?
No, definitely not at all. From what I'm seeing in the API's doc the
name's length is represented on 8 bits (255 max) and the value length
on 24 bits (16 MB max), and both sizes fit into a combined 32-bit block.
> I will need to take this to the folks that own the product requirements and
> I want to give them the right information.
Got it! You can tell them that this has been in effect since 1.9 (via
an opt-in), 2.0 (via an opt-out) and 2.1 definitive. In short, all
currently maintained versions use the same representation.
Hoping this helps,
Willy
