Questions about CVE-2025-30204

[Gobd]

So GHSA-mh63-6h87-95cp says excessive memory can be allocated. Go by default limits headers to 1MB, how is a 1MB header with 2000 . characters worse than one with 3? If someone is truly concerned they should be lowering that limit because even 1MB is probably incredibly excessive for most applications. I guess this is probably just a general Go question but hopefully someone can explain.

[Gobd]

OK after a test I see someone could parse something that did not come from a header. In this case it seems like

if strings.Count(token, tokenDelimiter) != 2 {
	return nil, false
}

at the top of splitToken func is more efficient and simple than the current method. I'd also like to see a max size opt so I could say if a token is > 8KB (or whatever user sets, with some crazy limit like 1MB) fail right away. strings.Count has a special case for when the substr is 1 char that I assume is especially optimized see https://cs.opensource.google/go/go/+/refs/tags/go1.24.1:src/strings/strings.go;l=42 and https://golang.bg/src/internal/bytealg.