mime/multipart: add field Reader.MaxMIMEHeaderSize #73087
Labels
LibraryProposal
Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool
Proposal
Comments
This was referenced Mar 28, 2025
|
Change https://go.dev/cl/637915 mentions this issue: |
gabyhelp
added
the
LibraryProposal
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Proposal Details
Please provide a way to limit the maximum size of the header when using
http.ParseMultipartForm.Currently package
mime/multiparthas a hardcoded constant maxMIMEHeaderSize equal to 10 megabytes. This means that an app having multipart HTTP endpoints should allocate at least 10 megabytes of RAM per request, which is quite high. Most headers are much smaller and allowing 10 megabytes for the header is not useful, just exposes an app to memory exhaustion by many parallel slow requests with large MIME headers.I propose to add a public field MaxMIMEHeaderSize to multipart.Reader.
Methods
NextPart()andNextRawPart()should use the value of that field if it is not 0, otherwise they should use the constant.To use this new field, one would call request.MultipartReader() method in
httppackage, set the field to the desired value (e.g. 1024) and then parse the form usingreader.NextPart()method without the risk that multipart headers eat 10 megabytes of RAM.Fixes #26339
Alternatives considered
There is an alternative proposal #68889 to add maximum size and number of parts in
ParseMultipartForm. The proposals don't contradict each other.Request.ParseMultipartFormLimitedcan use fieldMaxMIMEHeaderSizeof the reader.The text was updated successfully, but these errors were encountered: