Limit the number of http headers when receiving the http response

Change introduces a default limit on HTTP headers we expect to receive from server to 256. If limit is exceeded http client library indicates HTTP_R_RESPONSE_TOO_MANY_HDRLINES error. Application can use OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines() to change default. Setting limit to 0 implies no limit (current behavior). Fixes #22264 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23781)
author: Alexandr Nedvedicky <sashan@openssl.org> 2024-03-08 11:21:18 +0100
committer: Tomas Mraz <tomas@openssl.org> 2024-03-12 19:35:41 +0100
commit: 7f8aba2f44e9ca65b8a95987fa6c46020e1bdd6d (patch)
tree: 5647518eee7a0d5b854f42d78bfab5ab3535219c /CHANGES.md
parent: bc930bed20d7462afecbb9d947286a335975c04a (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index ac6b7525bf..ddb2ba56a2 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -155,6 +155,14 @@ OpenSSL 3.3
 
    *Hugo Landau*
 
+ * New limit on HTTP response headers is introduced to HTTP client. The
+   default limit is set to 256 header lines. If limit is exceeded the
+   response processing stops with error HTTP_R_RESPONSE_TOO_MANY_HDRLINES.
+   Application may call OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3)
+   to change the default. Setting the value to 0 disables the limit.
+
+   *Alexandr Nedvedicky*
+
 OpenSSL 3.2
 -----------
author	Alexandr Nedvedicky <sashan@openssl.org>	2024-03-08 11:21:18 +0100
committer	Tomas Mraz <tomas@openssl.org>	2024-03-12 19:35:41 +0100
commit	7f8aba2f44e9ca65b8a95987fa6c46020e1bdd6d (patch)
tree	5647518eee7a0d5b854f42d78bfab5ab3535219c /CHANGES.md
parent	bc930bed20d7462afecbb9d947286a335975c04a (diff)