From f1f7a2267460c5ed456153a4a04d864fb7865c56 Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Thu, 15 Sep 2022 14:25:29 -0600
Subject: Reject absurdly long duration strings (fix #4175)

---
 caddy.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'caddy.go')

diff --git a/caddy.go b/caddy.go
index 26c149b..9595c96 100644
--- a/caddy.go
+++ b/caddy.go
@@ -763,8 +763,12 @@ func (d *Duration) UnmarshalJSON(b []byte) error {
 
 // ParseDuration parses a duration string, adding
 // support for the "d" unit meaning number of days,
-// where a day is assumed to be 24h.
+// where a day is assumed to be 24h. The maximum
+// input string length is 1024.
 func ParseDuration(s string) (time.Duration, error) {
+	if len(s) > 1024 {
+		return 0, fmt.Errorf("parsing duration: input string too long")
+	}
 	var inNumber bool
 	var numStart int
 	for i := 0; i < len(s); i++ {
-- 
cgit v1.2.3