[Security] Response size limitation

[ziaratban]

Hi

How can i limit the size of the response from the client?

For example, after sending a client more than 100 bytes, the connection must be disconnected. (In one post)

[ziaratban]

This is my web socket server:

$loop = \React\EventLoop\Factory::Create();
new \Ratchet\Server\IoServer(
    new \Ratchet\Http\HttpServer(
        new \Ratchet\WebSocket\WsServer(
            new class implements \Ratchet\MessageComponentInterface {

                public function OnOpen(\Ratchet\ConnectionInterface $con){
                }

                public function OnMessage(\Ratchet\ConnectionInterface $con, $message){
                    echo strlen($message); // How much?
                }

                public function OnClose(\Ratchet\ConnectionInterface $con){
                }

                public function OnError(\Ratchet\ConnectionInterface $con, \Exception $e){
                }
            }
        )
    ),
    new \React\Socket\SecureServer(
        new \React\Socket\Server('127.0.0.1:8989',$loop),
        $loop,
        array(
            'local_cert' => '...',
            'local_pk' => '...', 
            'allow_self_signed' => true,
            'verify_peer' => false
        )
    )
);

$loop->Run();

How many bytes of data can be received from the client? How can I restrict this configuration?

If I can not manage this configuration, the attacker can send big data and take up memory (or I can not have precise management on the server).

I'm not familiar with reactphp source code, so I think it's related to: https://github.com/reactphp/stream/blob/70d6e15d5f90730651558852c74fbb767fd9215b/src/ReadableResourceStream.php#L137

@clue