http.server.requests: an upper limit is needed for the content-length header

basis/http/server/requests/requests-tests.factor

@@ -1,6 +1,6 @@
 USING: accessors assocs continuations http http.client http.client.private
 http.server http.server.requests io.streams.limited io.streams.string kernel
-multiline namespaces peg sequences splitting tools.test urls ;
+math math.parser multiline namespaces peg sequences splitting tools.test urls ;
 IN: http.server.requests.tests
 
 : normalize-nl ( str -- str' )
@@ -117,6 +117,16 @@ hello
     [ content-length>> -1234 = ] bi and
 ] must-fail-with
 
+! And too big
+[
+    { { "foo" "bar" } } "localhost" <post-request> request>string
+    "7" upload-limit get 1 + number>string replace string>request
+] [
+    [ invalid-content-length? ]
+    [ content-length>> upload-limit get 1 + = ] bi and
+] must-fail-with
+
+
 ! RFC 2616: Section 4.1
 ! In the interest of robustness, servers SHOULD ignore any empty
 ! line(s) received where a Request-Line is expected. In other words, if

basis/http/server/requests/requests.factor

@@ -48,7 +48,9 @@ upload-limit [ 200,000,000 ] initialize
 : parse-content-length-safe ( request -- content-length )
     "content-length" header [
         dup string>number [
-            nip dup 0 >= [ invalid-content-length ] unless
+            nip dup 0 upload-limit get between? [
+                invalid-content-length
+            ] unless
         ] [ invalid-content-length ] if*
     ] [ content-length-missing ] if* ;