[jira] [Commented] (FELIX-6774) `org.apache.felix.http.jetty.maxFormSize` not enforced

Wed, 07 May 2025 06:01:40 -0700 


    [ 
https://issues.apache.org/jira/browse/FELIX-6774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17949977#comment-17949977
 ] 

Paul Rütter commented on FELIX-6774:
------------------------------------

[https://stackoverflow.com/questions/78659372/how-do-you-set-in-jetty-12-a-max-request-size-programmatically]
 states that this only works for blocking API's, which we don't use by setting.
{code:java}
holder.setAsyncSupported(true);{code}
I'm thinking about putting in the 
[https://jetty.org/docs/jetty/12/programming-guide/server/http.html#handler-use-size-limit]
 instead of using 
{code:java}
context.setMaxFormContentSize(this.config.getMaxFormSize()); {code}
Let me know what you think [~cziegeler] 

> `org.apache.felix.http.jetty.maxFormSize` not enforced
> ------------------------------------------------------
>
>                 Key: FELIX-6774
>                 URL: https://issues.apache.org/jira/browse/FELIX-6774
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>            Reporter: Paul Rütter
>            Priority: Major
>              Labels: security
>
> |{{org.apache.felix.http.jetty.maxFormSize}}|The maximum size accepted for a 
> form post, in bytes. Defaults to 200 KB.|
> Although this doesn't seem to be enforced. Not sure if this is a Felix HTTP 
> bug, or a Jetty bug. I managed to reproduce this on Jetty 11 and Jetty 12.
> When configuring {{{}org.apache.felix.http.jetty.maxFormSize{}}}, in code the 
> following is performed: 
> context.setMaxFormContentSize(this.config.getMaxFormSize());
> But when setting this option, i'm still able to perform POST requests with a 
> body larger than the specified size. I will add a branch with an IT where 
> this is demonstrated, as well as a branch with a proposed fix.
> According to [Jetty 
> documentation|https://jetty.org/docs/jetty/12/programming-guide/security/configuring-form-size.html]
>  that should be sufficient to limit any form uploads in size. Related 
> https://github.com/jetty/jetty.project/issues/8086#issuecomment-1142502052



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to