Increase Header size limit or add Cookie option: Getting [fatal] header is too large

Question

Increase Header size limit or add Cookie option: Getting [fatal] header is too large

dcoracle opened this issue 2 years ago · 4 comments

dcoracle commented 2 years ago

Our organization uses cookie session headers that are larger than the current header limit that siege has.

Looking at one of our payloads, it is just shy of 3500 where siege has it set at 2048.

Suggest either increasing header limit or create a new option just for Cookies since it is often larger than 2048

In src/main.c:

if((strlen(optarg) + strlen(my.extra) + 3) > 2048)
NOTIFY(FATAL, "header is too large");

Answer 1 · 2023-01-13T15:55:26.000Z

This is the first time that's come up. I picked that limit in 1999 so it's entirely possible the standard I was working from at the time has changed since then. To get yourself running until I develop a permanent solution, you can expand the buffer here: setup.h:194 char extra[2048]; /* extra http request headers */ Then extend that if check in main.c to match

…

On Fri, Jan 13, 2023 at 10:20 AM dcoracle ***@***.***> wrote: Our organization uses cookie session headers that are larger than the current header limit that siege has. Looking at one of our payloads, it is just shy of 3500 where siege has it set at 2048. Suggest either increasing header limit or create a new option just for Cookies since it is often larger than 2048 In src/main.c: if((strlen(optarg) + strlen(my.extra) + 3) > 2048) NOTIFY(FATAL, "header is too large"); — Reply to this email directly, view it on GitHub <#218>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABJRHZRWSHEADH4AGDIMPLTWSFXCDANCNFSM6AAAAAAT2QV6RQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Jeff Fulmer 1-717-799-8226 https://www.joedog.org/ He codes

Answer 2 · 2023-01-13T16:11:09.000Z

Thanks for the quick response and for the suggestion!

Answer 3 · 2023-01-13T16:23:21.000Z

Quickly looking at SO, the standard seems to leave it up to implementation. 8K seems like a good practical limit: https://stackoverflow.com/questions/686217/maximum-on-http-header-values

Answer 4 · 2023-01-13T18:56:38.000Z

Awesome, thanks!

…

On Fri, Jan 13, 2023 at 11:23 AM dcoracle ***@***.***> wrote: Quickly looking at SO, the standard seems to leave it up to implementation. 8K seems like a good practical minimum: https://stackoverflow.com/questions/686217/maximum-on-http-header-values — Reply to this email directly, view it on GitHub <#218 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABJRHZVEZUZD7AKMIKXDS6LWSF6QHANCNFSM6AAAAAAT2QV6RQ> . You are receiving this because you commented.Message ID: ***@***.***>

-- Jeff Fulmer 1-717-799-8226 https://www.joedog.org/ He codes