Aiohttp: websocket message size limit
241 views
Skip to first unread message
alexmna...@gmail.com
Jun 5, 2017, 8:18:37 AM6/5/17
to aio-libs
Hi all!
Before creating an issue, I wanted to discuss the following: aiohttp has no limit on websocket message sizes.
That looks pretty dangerous, as it allows to DoS/OOM the server with a single client without any effort at all.
Closest 'conceptual' relative of aiohttp (IMHO) aka tornado has this limit both on client and on server APIs:
It cannot be implemented on the application layer - it's too late, message has been fully loaded already. This limit must be deep in protocol implementation, where websocket fragmented messages are collected.
Am I missing smth?
ps. I understand that it can probably solved using a production reverse proxy, but for pure WS workload direct connection seems reasonable too.
alexmna...@gmail.com
Jun 5, 2017, 8:22:25 AM6/5/17
to aio-libs, alexmna...@gmail.com
Btw, does client_max_size (which is not documented?) influence websockets?
Nikolay Kim
Jun 5, 2017, 9:40:50 AM6/5/17
to alexmna...@gmail.com, aio-libs
client_max_size does not influence websockets parser at all. As an temp solution we should take this value into account. Proper solution would be to use StreamReader instead of plain text and bytes.
Sent from my iPhone
Sent from my iPhone
--
You received this message because you are subscribed to the Google Groups "aio-libs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aio-libs+u...@googlegroups.com.
To post to this group, send email to aio-...@googlegroups.com.
Visit this group at https://groups.google.com/group/aio-libs.
To view this discussion on the web visit https://groups.google.com/d/msgid/aio-libs/d1a8b651-4c77-461f-a446-04d433e31057%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Alexey Nazarenko
Jun 5, 2017, 10:43:26 AM6/5/17
to aio-libs, alexmna...@gmail.com
I'm not sure if it's right to expose streaming APIs for the inherently message-based protocol.
It's your decision, ofc, but the simple hard-limit (both on client and server APIs) looks good for me.
Alexey Nazarenko
Jun 5, 2017, 10:46:25 AM6/5/17
to aio-libs, alexmna...@gmail.com
Should I create an issue in the tracker?
Nikolay Kim
Jun 5, 2017, 10:49:02 AM6/5/17
to Alexey Nazarenko, aio-libs
sure. PR would be even better
To view this discussion on the web visit https://groups.google.com/d/msgid/aio-libs/51feea3b-739f-47d4-86ac-c80bbf994e95%40googlegroups.com.
Amirouche Boubekki
Jun 15, 2017, 1:31:16 PM6/15/17
to aio-libs, alexmna...@gmail.com
Can you cross link the PR/Issue here please?
Alexey Nazarenko
Jun 16, 2017, 4:30:04 AM6/16/17
to aio-libs, alexmna...@gmail.com
Reply all
Reply to author
Forward
0 new messages