Are other applications vulnerable if they embed Jetty (though a newer version) and not make this call on the request? Must it be done per request or is it something can be done server wide on startup?
On Mar 23, 2017 6:25 PM, "Joakim Erdfelt" <[email protected]> wrote: > Setting .setResponseHeaderSize() has no effect on the Request header > size/limit behavior. > Try using .setRequestHeaderSize() instead. > > Joakim Erdfelt / [email protected] > > On Thu, Mar 23, 2017 at 10:20 AM, Conan <[email protected]> wrote: > >> >> Folks, >> >> We use NiFi which embeds Jetty Server. Our test team found a security >> bug by intercepting the http request and replacing the header with a huge >> (say 1GB) text, which sent the response to NCM, which got OOM: >> >> 2017-03-07 03:44:03,522 WARN [NiFi Web Server-22] >> o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for >> [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=129.188.35.109, >> apiPort=38484, socketAddress=129.188.35.109, socketPort=39494, >> siteToSiteAddress=129.188.35.109, siteToSitePort=null] encountered >> exception: java.util.concurrent.ExecutionException: >> java.lang.OutOfMemoryError: Java heap space >> >> We tried setResponseHeaderSize here http://download.eclipse.o >> rg/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfi >> guration.html#setResponseHeaderSize-int- but it didn't seem to work: it >> seems to us that the huge fake header got received before this limit takes >> effect, as a result, the NCM got OOM in the first place. >> >> Are we missing anything, or is there a potential bug with >> setResponseHeaderSize, please? >> >> >> Thanks, >> Conan&Sherry >> >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
