Return-Path: Delivered-To: apmail-jakarta-commons-httpclient-dev-archive@www.apache.org Received: (qmail 86002 invoked from network); 10 Oct 2003 16:22:08 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 10 Oct 2003 16:22:08 -0000 Received: (qmail 60813 invoked by uid 500); 10 Oct 2003 16:21:30 -0000 Delivered-To: apmail-jakarta-commons-httpclient-dev-archive@jakarta.apache.org Received: (qmail 60790 invoked by uid 500); 10 Oct 2003 16:21:29 -0000 Mailing-List: contact commons-httpclient-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Commons HttpClient Project" Reply-To: "Commons HttpClient Project" Delivered-To: mailing list commons-httpclient-dev@jakarta.apache.org Received: (qmail 60762 invoked from network); 10 Oct 2003 16:21:29 -0000 Received: from unknown (HELO outhub1.tibco.com) (63.100.100.155) by daedalus.apache.org with SMTP; 10 Oct 2003 16:21:29 -0000 Received: from nodnsquery(10.106.128.33) by outhub1.tibco.com via csmap id d454691a_fb3d_11d7_856a_00304811db0b_13327; Fri, 10 Oct 2003 09:21:40 -0700 (PDT) Received: from nsmail1.tibco.com (nsmail1.tibco.com [10.106.128.41]) by na-h-inhub1.tibco.com (8.12.10/8.12.10) with ESMTP id h9AGLW0o015657 for ; Fri, 10 Oct 2003 09:21:32 -0700 (PDT) Received: from tibco.com (remote-10.98.32.107.tibco.com [10.98.32.107]) by mail1.tibco.com (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HMJ00I5EURW8B@mail1.tibco.com> for commons-httpclient-dev@jakarta.apache.org; Fri, 10 Oct 2003 09:21:32 -0700 (PDT) Date: Fri, 10 Oct 2003 12:21:31 -0400 From: Eric Johnson Subject: Re: Proposal: Configurable HTTP Response length limit In-reply-to: <200310101752.43303.ck@rrzn.uni-hannover.de> To: Commons HttpClient Project Message-id: <3F86DC8B.5060504@tibco.com> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en-us, en User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 References: <200310101247.40166.ck@rrzn.uni-hannover.de> <200310101612.05457.ck@rrzn.uni-hannover.de> <3F86C9AD.4000404@tibco.com> <200310101752.43303.ck@rrzn.uni-hannover.de> X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N At a lower level, the potential failure points are undoubtedly there. Unless you could point to a real-world server that causes them, or a security bug that stems from them, any such fixes would be academic in nature. Can you cause an out of memory failure while using getResponseBodyAsStream() to process a response from a *conformant* HTTP server? Sure, I could construct a "chunked" response that indicated as a chunk size a number on the order of (16^(2^30)), which would consume all available memory, but then the question would be how to detect that and fail the connection sooner - due to a non-conformant server. It would not be a question of merely prematurely terminating the chunk. I don't see how ChunkedInputStream.exhaustInputStream() can actually consume all available memory. Rather I see that if the server never stops sending data, it will simply never exit. The latter condition suggests an abuse of the HTTP protocol, and an alternative "streaming" protocol would be more appropriate. -Eric. ck@rrzn.uni-hannover.de wrote: > Eric, > >adding a maxBytes parameter to getResponseBody seems to be a resonable idea to >limit the actual number of bytes returned in the response body. > >Nevertheless, you would still have to fix some other flaws lying around at >lower levels that attempt to read until EOF or newline, such as >ChunkedInputStream.close() and exhaustInputStream() - or >HttpParser.readRawline(). > >I can easily provide test cases which will cause HttpClient to eat up all >available memory throwing an OutOfMemoryError because of reading and reading >from a never ending HTTP Response. > >I would regard this behaviour as a bug. > >The patch is intended as an "emergency brake" if methods at higher levels try >to read until EOF. It is up to the user whether to set this hard limit or >not. > > >Christian > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org >For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org