Setting a WebSocket message size limit to avoid a memory exhaustion attack

[Ruben De Visscher]

Is there a way to set a message size limit that is enforced before the message is fully read into memory?

I am worried that someone can just send a message that is bigger than the amount of available RAM and takes down my server, 

because AFAIK the on_message callback gets handed the full message in string form.

- Ruben

[A. Jesse Jiryu Davis]

The max message size Tornado is willing to read defaults to 100MB; more than that and Tornado will abort reading the request body:

https://github.com/tornadoweb/tornado/blob/master/tornado/http1connection.py#L518

Starting in Tornado 4 you can override the max HTTP header size and max body size separately when you call Application.listen:

    application.listen(8888, max_header_size=1024**2, max_body_size=1024**2)

    tornado.ioloop.IOLoop.instance().start()

--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ben Darnell]

That's for regular HTTP traffic; we do not currently have an effective limit for websocket messages. The max_body_size limit applies to individual message fragments, but there is no limit on the number or size of fragments that make up a message. The websocket compression support (that is new in 4.1) will also need to be made aware of size limits, like the gzip support for http bodies in 4.0.

-Ben

[aliane abdelouahab]

since it is an str, when you dont use message[:limit] ? or will the whole message get charged to memory and then get cut? then the idea is to make a list, with a max length, and append it with chars, and then make it back to str using ' '.join(the_list)