Security checks for Json() #25
Labels
Comments
|
JSON is stream parse, but form parse needs pre-read in https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1130:6 . MaxBytesReader is sufficient enough. |
|
Sorry, I don't follow. Are you saying that |
|
In conclusion, yes! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Go's net/http ParseForm() method, the following checks are done:
https://github.com/golang/go/blob/700e969d5b23732179ea86cfe67e8d1a0a1cc10a/src/net/http/request.go#L1176
// For other HTTP methods, or when the Content-Type is not
// application/x-www-form-urlencoded, the request Body is not read, and
// r.PostForm is initialized to a non-nil, empty value.
//
// If the request Body's size has not already been limited by MaxBytesReader,
// the size is capped at 10MB.
Should the similar checks in Request body be done in Json() method, too?
The text was updated successfully, but these errors were encountered: