[ https://issues.apache.org/jira/browse/NUTCH-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gerard Bouchar updated NUTCH-2561: ---------------------------------- Attachment: evilserver.py > protocol-http can be made to read arbitrarily large HTTP responses > ------------------------------------------------------------------ > > Key: NUTCH-2561 > URL: https://issues.apache.org/jira/browse/NUTCH-2561 > Project: Nutch > Issue Type: Sub-task > Reporter: Gerard Bouchar > Priority: Critical > Attachments: evilserver.py > > > protocol-http limits the size of the HTTP response body. However > * There is no limit over the size of the HTTP headers it reads. A bogus > server could send an infinite stream of different HTTP headers and cause the > fetcher to go out of memory, or send the same HTTP header repeatedly and > cause the fetcher to timeout. > * The same goes for the HTTP status line: no check is made concerning its > size. > This can be both a performance and a security problem -- This message was sent by Atlassian JIRA (v7.6.3#76005)