[jira] [Updated] (NUTCH-2561) protocol-http can be made to read arbitrarily large HTTP responses

Gerard Bouchar (JIRA) Mon, 09 Apr 2018 07:51:14 -0700

     [ 
https://issues.apache.org/jira/browse/NUTCH-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Gerard Bouchar updated NUTCH-2561:
----------------------------------
    Attachment: evilserver.py

> protocol-http can be made to read arbitrarily large HTTP responses
> ------------------------------------------------------------------
>
>                 Key: NUTCH-2561
>                 URL: https://issues.apache.org/jira/browse/NUTCH-2561
>             Project: Nutch
>          Issue Type: Sub-task
>            Reporter: Gerard Bouchar
>            Priority: Critical
>         Attachments: evilserver.py
>
>
> protocol-http limits the size of the HTTP response body. However
>  * There is no limit over the size of the HTTP headers it reads. A bogus 
> server could send an infinite stream of different HTTP headers and cause the 
> fetcher to go out of memory, or send the same HTTP header repeatedly and 
> cause the fetcher to timeout.
>  * The same goes for the HTTP status line: no check is made concerning its 
> size.
> This can be both a performance and a security problem



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (NUTCH-2561) protocol-http can be made to read arbitrarily large HTTP responses

Reply via email to