felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wolfgang Glas (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (FELIX-3362) No possibility to impose an upper limit on the size of a POST request.
Date Sat, 25 Feb 2012 20:43:48 GMT

     [ https://issues.apache.org/jira/browse/FELIX-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Wolfgang Glas updated FELIX-3362:

    Summary: No possibility to impose an upper limit on the size of a POST request.  (was:
No possibility to impose an upper limit on the size of a PSOT request.)
> No possibility to impose an upper limit on the size of a POST request.
> ----------------------------------------------------------------------
>                 Key: FELIX-3362
>                 URL: https://issues.apache.org/jira/browse/FELIX-3362
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http-2.2.0
>         Environment: apache-karaf-2.2.5
>            Reporter: Wolfgang Glas
> We have developed a simple file exchange application using OSGi. THe upload to this application
is using a HTTP upload form field, which creates a large multipart POST request.
> During our Q/A sessions, we discovered, that it is impossible to intentionally close
the network socket, when the upload request exceeds a configurable limit.
> We've tried the following approaches
> 1) request.getInputStream().close()
> 2) Throw an IOException in doPost() once the critical length of input data is reached.
> 3) Throw a ServletException in doPost()
> 4) Throw a SecurityException in doPost()
> It turned out, that in 1) the close()-Method reads the whole request (may be Gigabytes
of data...) before actually closing the socket.
> 2), 3) ad 4) seem to wait for the whole request before sending a 500 Internal Server
Error to the client.
> I will attach a small sample bundle in which the behaviour may be inspected in detail.
> We classify this as a security problem, because a malicious user might trigger a DDoS
attack by just sending a few ultra-large requests to any servlet deployed to an OSGi container.
It might even suffice to to POST ultra-large data to an unknown URL, because the HTTP service
first reads all the data of the request before issuing 404 Not Found or 400 Method Not Supported
to the client.
> We'd expect, that the HTTP service closes the network socket, whenever a POST request
arrives and the consuming servlet throws an exception before the whole request has been read
from the network socket.
> Furthermore, it should be possible to close the network socket instead of issuing 404
Not Found when a POST request hits an unknown URL. This option might be turned on by a configuration
>   TIA for inspecting this issue and best regards, Wolfgang

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message