[jira] [Closed] (FELIX-3362) No possibility to impose an upper limit on the size of a POST request.

[Carsten Ziegeler (JIRA)]

     [ 
https://issues.apache.org/jira/browse/FELIX-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Carsten Ziegeler closed FELIX-3362.
-----------------------------------

> No possibility to impose an upper limit on the size of a POST request.
> ----------------------------------------------------------------------
>
>                 Key: FELIX-3362
>                 URL: https://issues.apache.org/jira/browse/FELIX-3362
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>    Affects Versions: http-2.2.0
>         Environment: apache-karaf-2.2.5
>            Reporter: Wolfgang Glas
>             Fix For: http-2.2.2
>
>         Attachments: 20120224-upload-test.zip
>
>
> We have developed a simple file exchange application using OSGi. THe upload 
> to this application is using a HTTP upload form field, which creates a large 
> multipart POST request.
> During our Q/A sessions, we discovered, that it is impossible to 
> intentionally close the network socket, when the upload request exceeds a 
> configurable limit.
> We've tried the following approaches
> 1) request.getInputStream().close()
> 2) Throw an IOException in doPost() once the critical length of input data is 
> reached.
> 3) Throw a ServletException in doPost()
> 4) Throw a SecurityException in doPost()
> It turned out, that in 1) the close()-Method reads the whole request (may be 
> Gigabytes of data...) before actually closing the socket.
> 2), 3) ad 4) seem to wait for the whole request before sending a 500 Internal 
> Server Error to the client.
> I will attach a small sample bundle in which the behaviour may be inspected 
> in detail.
> We classify this as a security problem, because a malicious user might 
> trigger a DDoS attack by just sending a few ultra-large requests to any 
> servlet deployed to an OSGi container. It might even suffice to to POST 
> ultra-large data to an unknown URL, because the HTTP service first reads all 
> the data of the request before issuing 404 Not Found or 400 Method Not 
> Supported to the client.
> We'd expect, that the HTTP service closes the network socket, whenever a POST 
> request arrives and the consuming servlet throws an exception before the 
> whole request has been read from the network socket.
> Furthermore, it should be possible to close the network socket instead of 
> issuing 404 Not Found when a POST request hits an unknown URL. This option 
> might be turned on by a configuration option.
>   TIA for inspecting this issue and best regards, Wolfgang



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)