From bc9dd580b9096d29e6c8cc49ca11bfc5f357b9a0 Mon Sep 17 00:00:00 2001
From: hanishkvc <hanishkvc@gmail.com>
Date: Sun, 7 Dec 2025 18:34:53 +0530
Subject: [PATCH] SimpleSallap:SimpleMCP:InitalGoCleanup Limit read to
 ContentLength

Also enforce need for kind of a sane Content-Length header entry
in our case. NOTE: it does allow for 0 or other small content lengths,
which isnt necessarily valid.
---
 .../server/public_simplechat/local.tools/simplemcp.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/tools/server/public_simplechat/local.tools/simplemcp.py b/tools/server/public_simplechat/local.tools/simplemcp.py
index 8030241dbd..1072aa8abc 100644
--- a/tools/server/public_simplechat/local.tools/simplemcp.py
+++ b/tools/server/public_simplechat/local.tools/simplemcp.py
@@ -148,10 +148,17 @@ class ProxyHandler(http.server.BaseHTTPRequestHandler):
         if pr.path != '/mcp':
             self.send_error(400, f"WARN:UnknownPath:{pr.path}")
             return
-        body = self.rfile.read(gMe.nw.maxReadBytes)
-        if len(body) == gMe.nw.maxReadBytes:
+        bytesToRead = min(int(self.headers.get('Content-Length', -1)), gMe.nw.maxReadBytes)
+        if bytesToRead <= -1:
+            self.send_error(400, f"WARN:ContentLength missing:{pr.path}")
+            return
+        if bytesToRead == gMe.nw.maxReadBytes:
             self.send_error(400, f"WARN:RequestOverflow:{pr.path}")
             return
+        body = self.rfile.read(bytesToRead)
+        if len(body) != bytesToRead:
+            self.send_error(400, f"WARN:ContentLength mismatch:{pr.path}")
+            return
         self.mcp_run(body)
 
     def do_POST(self):