Untitled

@@ -41,6 +41,9 @@ using namespace EsiLib;
 #define PLUGIN_NAME "combo_handler"
 #define PLUGIN_VERSION "0.1"

+#define MAX_FILE_COUNT 30
+#define MAX_QUERY_LENGTH 3000
+
 int arg_idx;
 static TSTextLogObject log;
 static string SIG_KEY_NAME;

@@ -396,6 +398,11 @@ getClientRequest(TSHttpTxn txnp, TSMBuffer bufp, TSMLoc hdr_loc, TSMLoc url_loc,
         LOG_ERROR("failed getting Default Bucket for the request");
         return;
       }
+    if (query_len > MAX_QUERY_LENGTH) {
+      creq.status = TS_HTTP_STATUS_BAD_REQUEST;
+      LOG_ERROR("querystring too long");
+      return;
+    }
     parseQueryParameters(query, query_len, creq);
     creq.client_addr = TSHttpTxnClientAddrGet(txnp);
     checkGzipAcceptance(bufp, hdr_loc, creq);
@@ -508,6 +515,13 @@ if (!creq.file_urls.size()) {
   creq.status = TS_HTTP_STATUS_FORBIDDEN;
   creq.file_urls.clear();
  }
+
+if (creq.file_urls.size() > MAX_FILE_COUNT) {
+  creq.status = TS_HTTP_STATUS_BAD_REQUEST;
+  LOG_ERROR("too many files in url");
+  creq.file_urls.clear();
+}
+
 }

 static void