#!/bin/bash # Create a big header value echo -n "X-Huge: " > big-header.tmp openssl rand -base64 80000 | tr -d '\n' >> big-header.tmp
# Issue the request curl -v -H "$(cat big-header.tmp)" http://localhost:8080/test/ With the testing of it ... $ ./curl-bigrequest.sh * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 8080 (#0) > GET /test/ HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.53.1 > Accept: */* > X-Huge: Ccq6uj0NVMiRRa...(snip huge header)...0TQnj+05cXtdNgjgIHGs= > < HTTP/1.1 431 Request Header Fields Too Large < Content-Type: text/html;charset=iso-8859-1 < Content-Length: 74 < Connection: close < Server: Jetty(9.4.3.v20170317) < * Closing connection 0 <h1>Bad Message 431</h1><pre>reason: Request Header Fields Too Large</pre> Seems like its working fine on Jetty 9.4.3 at least. Lets see about latest Jetty 9.2 ... $ ./curl-bigrequest.sh * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 8080 (#0) > GET /test/ HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/7.53.1 > Accept: */* > X-Huge: 1Kp7vXpbrf...(snip huge header)...I6QHbIqk= > < HTTP/1.1 413 Request Entity Too Large < Content-Length: 0 < Connection: close < Server: Jetty(9.2.21.v20170120) < * Closing connection 0 The server side logs on Jetty 9.2.21 shows ... 2017-03-23 11:33:08.031:WARN:oejh.HttpParser:qtp463345942-36: Header is too large >8192 2017-03-23 11:33:08.031:WARN:oejh.HttpParser:qtp463345942-36: badMessage: 413 for HttpChannelOverHttp@7817c547{r=0,c=false,a=IDLE,uri=/test/} 2017-03-23 11:33:08.032:WARN:oejh.HttpParser:qtp463345942-36: badMessage: java.lang.IllegalStateException: too much data after closed for HttpChannelOverHttp@7817c547{r=0,c=true,a=COMPLETED,uri=/test/} Seems to be responding appropriately. Joakim Erdfelt / [email protected] On Thu, Mar 23, 2017 at 10:39 AM, Jesse McConnell <[email protected] > wrote: > I'll also point out that 9.2.1 is from 2014-06-09 and 20 bugfix releases > behind on just the 9.2.x development branch. > > We released 9.4.3 earlier this week. :) > > -- > jesse mcconnell > [email protected] > > On Thu, Mar 23, 2017 at 12:35 PM, Conan <[email protected]> wrote: > >> jetty version is 9.2.1 and java version is 1.8, thanks so much! >> >> Thanks, >> Conan >> >> >> On Thu, Mar 23, 2017 at 10:22 AM, Jesse McConnell < >> [email protected]> wrote: >> >>> what version of java and jetty? >>> >>> -- >>> jesse mcconnell >>> [email protected] >>> >>> On Thu, Mar 23, 2017 at 12:20 PM, Conan <[email protected]> wrote: >>> >>>> >>>> Folks, >>>> >>>> We use NiFi which embeds Jetty Server. Our test team found a security >>>> bug by intercepting the http request and replacing the header with a huge >>>> (say 1GB) text, which sent the response to NCM, which got OOM: >>>> >>>> 2017-03-07 03:44:03,522 WARN [NiFi Web Server-22] >>>> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for >>>> [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=129.188.35.109, >>>> apiPort=38484, socketAddress=129.188.35.109, socketPort=39494, >>>> siteToSiteAddress=129.188.35.109, siteToSitePort=null] encountered >>>> exception: java.util.concurrent.ExecutionException: >>>> java.lang.OutOfMemoryError: Java heap space >>>> >>>> We tried setResponseHeaderSize here http://download.eclipse.o >>>> rg/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfi >>>> guration.html#setResponseHeaderSize-int- but it didn't seem to work: >>>> it seems to us that the huge fake header got received before this limit >>>> takes effect, as a result, the NCM got OOM in the first place. >>>> >>>> Are we missing anything, or is there a potential bug with >>>> setResponseHeaderSize, please? >>>> >>>> >>>> Thanks, >>>> Conan&Sherry >>>> >>>> >>>> _______________________________________________ >>>> jetty-users mailing list >>>> [email protected] >>>> To change your delivery options, retrieve your password, or unsubscribe >>>> from this list, visit >>>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>>> >>> >>> >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> To change your delivery options, retrieve your password, or unsubscribe >>> from this list, visit >>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>> >> >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
