Setting .setResponseHeaderSize() has no effect on the Request header size/limit behavior. Try using .setRequestHeaderSize() instead.
Joakim Erdfelt / [email protected] On Thu, Mar 23, 2017 at 10:20 AM, Conan <[email protected]> wrote: > > Folks, > > We use NiFi which embeds Jetty Server. Our test team found a security > bug by intercepting the http request and replacing the header with a huge > (say 1GB) text, which sent the response to NCM, which got OOM: > > 2017-03-07 03:44:03,522 WARN [NiFi Web Server-22] > o.a.n.c.m.impl.HttpRequestReplicatorImpl > Node request for [id=99a65e79-b856-4e43-9056-1451714498fc, > apiAddress=129.188.35.109, apiPort=38484, socketAddress=129.188.35.109, > socketPort=39494, siteToSiteAddress=129.188.35.109, siteToSitePort=null] > encountered exception: java.util.concurrent.ExecutionException: > java.lang.OutOfMemoryError: Java heap space > > We tried setResponseHeaderSize here http://download.eclipse. > org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ > HttpConfiguration.html#setResponseHeaderSize-int- but it didn't seem to > work: it seems to us that the huge fake header got received before this > limit takes effect, as a result, the NCM got OOM in the first place. > > Are we missing anything, or is there a potential bug with > setResponseHeaderSize, please? > > > Thanks, > Conan&Sherry > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
