Paul Rütter created FELIX-6774:
----------------------------------
Summary: `org.apache.felix.http.jetty.maxFormSize` not enforced
Key: FELIX-6774
URL: https://issues.apache.org/jira/browse/FELIX-6774
Project: Felix
Issue Type: Bug
Components: HTTP Service
Reporter: Paul Rütter
|{{org.apache.felix.http.jetty.maxFormSize}}|The maximum size accepted for a
form post, in bytes. Defaults to 200 KB.|
Although this doesn't seem to be enforced. Not sure if this is a Felix HTTP
bug, or a Jetty bug. I managed to reproduce this on Jetty 11 and Jetty 12.
When configuring {{{}org.apache.felix.http.jetty.maxFormSize{}}}, in code the
following is performed:
context.setMaxFormContentSize(this.config.getMaxFormSize());
But when setting this option, i'm still able to perform POST requests with a
body larger than the specified size. I will add a branch with an IT where this
is demonstrated, as well as a branch with a proposed fix.
According to [Jetty
documentation|https://jetty.org/docs/jetty/12/programming-guide/security/configuring-form-size.html]
that should be sufficient to limit any form uploads in size. Related
https://github.com/jetty/jetty.project/issues/8086#issuecomment-1142502052
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
