From 649c72bab9e7b50d657b5b432d0c205c95c2be07 Mon Sep 17 00:00:00 2001
From: Jeremy Evans <code@jeremyevans.net>
Date: Mon, 13 Jul 2020 15:47:25 -0700
Subject: [PATCH] Decrease default allowed parameter recursion level from 100
 to 32

Fixes stack issues on HP-PARISC.  32 levels ought to be enough for
anybody.

Fixes #1640.
---
 CHANGELOG.md         | 1 +
 README.rdoc          | 2 +-
 lib/rack/utils.rb    | 2 +-
 test/spec_request.rb | 6 +++---
 4 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 773585e12..1bc4a7ad9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ All notable changes to this project will be documented in this file. For info on
 - HMAC argument for `Rack::Session::Cookie` doesn't accept a class constant anymore, but only a string recognized by OpenSSL (e.g. `"SHA256"`) or compatible instance (e.g. `OpenSSL::Digest.new("SHA256")`) ([#1676](https://github.com/rack/rack/pull/1676), [@bdewater](https://github.com/bdewater))
 - `Rack::HTTP_VERSION` has been removed and the `HTTP_VERSION` env setting is no longer set in the CGI and Webrick handlers . ([#970](https://github.com/rack/rack/issues/970), [@jeremyevans](https://github.com/jeremyevans))
 - `Rack::Request#[]` and `#[]=` now warn even in non-verbose mode. ([#1277](https://github.com/rack/rack/issues/1277), [@jeremyevans](https://github.com/jeremyevans))
+- Decrease default allowed parameter recursion level from 100 to 32. ([#1640](https://github.com/rack/rack/issues/1640), [@jeremyevans](https://github.com/jeremyevans))
 
 ### Fixed
 
diff --git a/README.rdoc b/README.rdoc
index 7128dfef5..caebc845f 100644
--- a/README.rdoc
+++ b/README.rdoc
@@ -200,7 +200,7 @@ but this query string would not be allowed:
 
 Limiting the depth prevents a possible stack overflow when parsing parameters.
 
-Defaults to 100.
+Defaults to 32.
 
 === multipart_part_limit
 
diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
index d01909ff0..7de7a9dff 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
@@ -27,7 +27,7 @@ class << self
     end
     # The default number of bytes to allow parameter keys to take up.
     # This helps prevent a rogue client from flooding a Request.
-    self.default_query_parser = QueryParser.make_default(65536, 100)
+    self.default_query_parser = QueryParser.make_default(65536, 32)
 
     module_function
 
diff --git a/test/spec_request.rb b/test/spec_request.rb
index c948947e1..35cfe5821 100644
--- a/test/spec_request.rb
+++ b/test/spec_request.rb
@@ -343,14 +343,14 @@ def initialize(*)
   end
 
   it "limit the allowed parameter depth when parsing parameters" do
-    env = Rack::MockRequest.env_for("/?a#{'[a]' * 110}=b")
+    env = Rack::MockRequest.env_for("/?a#{'[a]' * 40}=b")
     req = make_request(env)
     lambda { req.GET }.must_raise RangeError
 
-    env = Rack::MockRequest.env_for("/?a#{'[a]' * 90}=b")
+    env = Rack::MockRequest.env_for("/?a#{'[a]' * 30}=b")
     req = make_request(env)
     params = req.GET
-    90.times { params = params['a'] }
+    30.times { params = params['a'] }
     params['a'].must_equal 'b'
 
     old, Rack::Utils.param_depth_limit = Rack::Utils.param_depth_limit, 3