Skip to content

Commit

Permalink
feat: decrease the default value of maxHttpBufferSize
Browse files Browse the repository at this point in the history 
This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by
malicious clients sending huge amounts of data.
  • Loading branch information
@darrachequesne
darrachequesne committed Feb 11, 2020
1 parent 61b9492 commit 734f9d1
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/server.js
View file
Expand Up @@ -26,7 +26,7 @@ class Server extends EventEmitter {
pingTimeout: 5000,
pingInterval: 25000,
upgradeTimeout: 10000,
maxHttpBufferSize: 10e7,
maxHttpBufferSize: 1e6,
transports: Object.keys(transports),
allowUpgrades: true,
perMessageDeflate: {
Expand Down

3 comments on commit 734f9d1

@abergmann
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2020-36048 was assigned to this commit.

@ixevix
Copy link

@ixevix ixevix commented on 734f9d1 May 11, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any luck getting this into an official release on some version of engine.io that socket.io v2.4.x depends on?

@darrachequesne
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ixevix here we go:

Please sign in to comment.