From 36a3de710411ef5c28fc2b3840ed5f645609323f Mon Sep 17 00:00:00 2001 From: David Acker Date: Fri, 19 Aug 2022 14:49:33 -0400 Subject: [PATCH] Request decompression improvements (#26785) * Fix formatting on exception name * List MaxRequestBodySize configuration sources --- .../fundamentals/middleware/request-decompression.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/aspnetcore/fundamentals/middleware/request-decompression.md b/aspnetcore/fundamentals/middleware/request-decompression.md index 58dbb64a10..153a37d743 100644 --- a/aspnetcore/fundamentals/middleware/request-decompression.md +++ b/aspnetcore/fundamentals/middleware/request-decompression.md @@ -29,7 +29,7 @@ Decompression: * Occurs when the body of the request is being read. That is, decompression occurs at the endpoint on model binding. The request body is not decompressed eagerly. * When attempting to read the decompressed request body, if the compressed data is invalid for the specified `Content-Encoding`, an exception is thrown. -If the middleware encounters a request with compressed content but is unable to decompress it, the request is passed to the next delegate in the pipeline. For example, a request with an unsupported `Content-Encoding` header value or multiple `Content-Encoding` header values, is passed to the next delegate in the pipeline. For example, Brotli can throw `System.InvalidOperationException:` Decoder ran into invalid data, Deflate and GZip can throw `System.IO.InvalidDataException`: The archive entry was compressed using an unsupported compression method. +If the middleware encounters a request with compressed content but is unable to decompress it, the request is passed to the next delegate in the pipeline. For example, a request with an unsupported `Content-Encoding` header value or multiple `Content-Encoding` header values, is passed to the next delegate in the pipeline. For example, Brotli can throw `System.InvalidOperationException`: Decoder ran into invalid data, Deflate and GZip can throw `System.IO.InvalidDataException`: The archive entry was compressed using an unsupported compression method. ## Configuration @@ -69,7 +69,14 @@ In order to guard against [zip bombs or decompression bombs](https://en.wikipedi The maximum request size for an endpoint is set by: * , such as or for MVC endpoints. -* The global server size limit . If not set, [`MaxRequestBodySize`](https://github.com/dotnet/aspnetcore/blob/197c1693d3c830af52b587e8d88891bc9689be44/src/Servers/Kestrel/Core/src/KestrelServerLimits.cs#L148-L157) uses the [default value](https://github.com/dotnet/aspnetcore/blob/197c1693d3c830af52b587e8d88891bc9689be44/src/Servers/Kestrel/Core/src/KestrelServerLimits.cs#L153). `MaxRequestBodySize` can be overridden per request with [`IHttpMaxRequestBodySizeFeature.MaxRequestBodySize`](xref:Microsoft.AspNetCore.Http.Features.IHttpMaxRequestBodySizeFeature.MaxRequestBodySize) +* The global server size limit . `MaxRequestBodySize` can be overridden per request with , but defaults to the limit configured for the web server implementation. + +| Web server implementation | `MaxRequestBodySize` configuration | +| --------- | --------- | +| [HTTP.sys](xref:fundamentals/servers/httpsys) | | +| [IIS](xref:host-and-deploy/iis/index) | | +| [Kestrel](xref:fundamentals/servers/kestrel) | | + > [!WARNING] > Disabling the request body size limit poses a security risk in regards to uncontrolled resource consumption, particularly if the request body is being buffered. Ensure that safeguards are in place to mitigate the risk of [denial-of-service](https://www.cisa.gov/uscert/ncas/tips/ST04-015) (DoS) attacks.