[jira] [Commented] (FELIX-6774) `org.apache.felix.http.jetty.maxFormSize` not enforced

Wed, 07 May 2025 09:55:05 -0700 


    [ 
https://issues.apache.org/jira/browse/FELIX-6774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17950066#comment-17950066
 ] 

Paul Rütter commented on FELIX-6774:
------------------------------------

Ah, i think i understand it a bit better now. 

context.setMaxFormContentSize(this.config.getMaxFormSize());

Only affects request.getParameter(), but does not apply to any other places. It 
does not affect a multipart file upload for example.

For that purpose, one can add the SizeLimitHandler, which affects all incoming 
requests (including form data). It just operates on a different level.

In that respect, this is probably not a bug, but a change request. The test i 
supplied doesn't use getParameter(), so that test is just incorrect.

So there is a use for the existing configuration property, as well as the two 
new ones i have added. 

I will adjust my initial test to see if the original configuration property 
works as expected, and remove the deprecation notice, as it's probably still 
relevant on a different level. 

> `org.apache.felix.http.jetty.maxFormSize` not enforced
> ------------------------------------------------------
>
>                 Key: FELIX-6774
>                 URL: https://issues.apache.org/jira/browse/FELIX-6774
>             Project: Felix
>          Issue Type: Bug
>          Components: HTTP Service
>            Reporter: Paul Rütter
>            Assignee: Paul Rütter
>            Priority: Major
>              Labels: security
>
> |{{org.apache.felix.http.jetty.maxFormSize}}|The maximum size accepted for a 
> form post, in bytes. Defaults to 200 KB.|
> Although this doesn't seem to be enforced (e.g. any request bigger than the 
> configured limit, will still be processed). Not sure if this is a Felix HTTP 
> bug, or a Jetty bug. I managed to reproduce this on Jetty 11 and Jetty 12.
> When configuring {{{}org.apache.felix.http.jetty.maxFormSize{}}}, in code the 
> following is performed: 
> context.setMaxFormContentSize(this.config.getMaxFormSize());
> But when setting this option, i'm still able to perform POST requests with a 
> body larger than the specified size. I will add a branch with an IT where 
> this is demonstrated, as well as a branch with a proposed fix.
> According to [Jetty 
> documentation|https://jetty.org/docs/jetty/12/programming-guide/security/configuring-form-size.html]
>  that should be sufficient to limit any form uploads in size. Related 
> [https://github.com/jetty/jetty.project/issues/8086#issuecomment-1142502052]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to