From 58e274c437e9cbcf69fd913c813aad8fbd253703 Mon Sep 17 00:00:00 2001
From: Damien Arrachequesne <damien.arrachequesne@gmail.com>
Date: Tue, 11 Feb 2020 07:57:29 +0100
Subject: [PATCH] feat: decrease the default value of maxHttpBufferSize

This change reduces the default value from 100 mb to a more sane 1 mb.

This helps protect the server against denial of service attacks by
malicious clients sending huge amounts of data.

Backported from https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b
---
 README.md     | 2 +-
 lib/server.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8009d6808..894e291c7 100644
--- a/README.md
+++ b/README.md
@@ -227,7 +227,7 @@ to a single process.
       - `upgradeTimeout` (`Number`): how many ms before an uncompleted transport upgrade is cancelled (`10000`)
       - `maxHttpBufferSize` (`Number`): how many bytes or characters a message
         can be, before closing the session (to avoid DoS). Default
-        value is `10E7`.
+        value is `1e6` (1MB).
       - `allowRequest` (`Function`): A function that receives a given handshake
         or upgrade request as its first parameter, and can decide whether to
         continue or not. The second argument is a function that needs to be
diff --git a/lib/server.js b/lib/server.js
index c691561b6..cafee604e 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -40,7 +40,7 @@ function Server (opts) {
   this.pingTimeout = opts.pingTimeout || 5000;
   this.pingInterval = opts.pingInterval || 25000;
   this.upgradeTimeout = opts.upgradeTimeout || 10000;
-  this.maxHttpBufferSize = opts.maxHttpBufferSize || 10E7;
+  this.maxHttpBufferSize = opts.maxHttpBufferSize || 1e6;
   this.transports = opts.transports || Object.keys(transports);
   this.allowUpgrades = false !== opts.allowUpgrades;
   this.allowRequest = opts.allowRequest;