256kB header limit (square#3602)

* 100k header limit

* 256k limit

Author: yschimke

okhttp-tests/src/test/java/okhttp3/CallTest.java

@@ -1871,6 +1871,25 @@ private void postBodyRetransmittedAfterAuthorizationFail(String body) throws Exc
         .assertFailure("HTTP 205 had non-zero Content-Length: 39");
   }
 
+  @Test public void httpWithExcessiveHeaders() throws IOException {
+    String longLine = "HTTP/1.1 200 " + stringFill('O', 256 * 1024) + "K";
+
+    server.setProtocols(Collections.singletonList(Protocol.HTTP_1_1));
+
+    server.enqueue(new MockResponse()
+        .setStatus(longLine)
+        .setBody("I'm not even supposed to be here today."));
+
+    executeSynchronously("/")
+        .assertFailureMatches(".*unexpected end of stream on Connection.*");
+  }
+
+  private String stringFill(char fillChar, int length) {
+    char[] value = new char[length];
+    Arrays.fill(value, fillChar);
+    return new String(value);
+  }
+
   @Test public void canceledBeforeExecute() throws Exception {
     Call call = client.newCall(new Request.Builder().url(server.url("/a")).build());
     call.cancel();

okhttp-tests/src/test/java/okhttp3/RecordedResponse.java

@@ -157,7 +157,7 @@ public RecordedResponse assertFailure(Class<?>... allowedExceptionTypes) {
   }
 
   public RecordedResponse assertFailure(String... messages) {
-    assertNotNull(failure);
+    assertNotNull("No failure found", failure);
     assertTrue(failure.getMessage(), Arrays.asList(messages).contains(failure.getMessage()));
     return this;
   }

okhttp/src/main/java/okhttp3/internal/http1/Http1Codec.java

@@ -74,6 +74,7 @@ public final class Http1Codec implements HttpCodec {
   private static final int STATE_OPEN_RESPONSE_BODY = 4;
   private static final int STATE_READING_RESPONSE_BODY = 5;
   private static final int STATE_CLOSED = 6;
+  private static final int HEADER_LIMIT = Integer.getInteger("okhttp.headerlimit", 256 * 1024);
 
   /** The client that configures this stream. May be null for HTTPS proxy tunnels. */
   final OkHttpClient client;
@@ -83,6 +84,7 @@ public final class Http1Codec implements HttpCodec {
   final BufferedSource source;
   final BufferedSink sink;
   int state = STATE_IDLE;
+  private long headerLimit = HEADER_LIMIT;
 
   public Http1Codec(OkHttpClient client, StreamAllocation streamAllocation, BufferedSource source,
       BufferedSink sink) {
@@ -184,7 +186,7 @@ public void writeRequest(Headers headers, String requestLine) throws IOException
     }
 
     try {
-      StatusLine statusLine = StatusLine.parse(source.readUtf8LineStrict());
+      StatusLine statusLine = StatusLine.parse(readHeaderLine());
 
       Response.Builder responseBuilder = new Response.Builder()
           .protocol(statusLine.protocol)
@@ -206,11 +208,17 @@ public void writeRequest(Headers headers, String requestLine) throws IOException
     }
   }
 
+  private String readHeaderLine() throws IOException {
+    String line = source.readUtf8LineStrict(headerLimit);
+    headerLimit -= line.length();
+    return line;
+  }
+
   /** Reads headers or trailers. */
   public Headers readHeaders() throws IOException {
     Headers.Builder headers = new Headers.Builder();
     // parse the result headers until the first blank line
-    for (String line; (line = source.readUtf8LineStrict()).length() != 0; ) {
+    for (String line; (line = readHeaderLine()).length() != 0; ) {
       Internal.instance.addLenient(headers, line);
     }
     return headers.build();