Re: [jetty-users] Controlling Maximum Header and Maximum Form content size
Thanks Greg! Ike On Tuesday, October 6, 2020, 02:00:00 AM CDT, Greg Wilkins wrote: Ike, See - https://github.com/eclipse/jetty.project/blob/jetty-9.4.20.v20190813/jetty-server/src/main/java/org/eclipse/jetty/server/HttpConfiguration.java - https://github.com/eclipse/jetty.project/blob/jetty-9.4.20.v20190813/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java#L1687 On Mon, 5 Oct 2020 at 17:49, Eze Ikonne wrote: Hi all, I would like to know what method/API to set in order to control Maximum Header length and Maximum Form content size. We are running embedded jetty-server-9.4.20.v20190813 and I would like to control the Maximum Header Length size and Maximum Forrm content size. Also, what a potential test scenario would look like. We saw “WARN HttpParser - Header is too large 8193>8192” in our log file and we would like to control it. Thanks, Ike = Please refer to https://northamerica.altran.com/email-disclaimer for important disclosures regarding this electronic communication. = ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users -- Greg Wilkins CTO http://webtide.com ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
Re: [jetty-users] Controlling Maximum Header and Maximum Form content size
> Also, what a potential test scenario would look like. We saw “WARN HttpParser - Header is too large 8193>8192” in our log file and we would like to control it. Before you go and make the header larger, know that there is a global probe of systems for vulnerabilities with large headers. We, Jetty, have a CVE filed for it at CVE-2019-17638 See: https://www.eclipse.org/jetty/security-reports.html Your version, 9.4.20, is not vulnerable to that header size issue, but it is subject to other security issues, see security-reports link, familiarize yourself with your 9.4.20 scoped security issues at a minimum. If you want to configure for larger headers at the server side simply to eliminate that warning, know that it will still be there, the vulnerability probes will just keep increasing their header sizes until it triggers a different kind of response. You will continue to get these warnings. No legitimate (and bug free) client will send headers that large. Most modern browsers will even fail the request at the browser side before even attempting to send the request with headers that large, as they have internal limits (on overall header table size, individual header size, overall URL size, etc) Joakim Erdfelt / joa...@webtide.com On Mon, Oct 5, 2020 at 10:49 AM Eze Ikonne wrote: > Hi all, > > > > I would like to know what method/API to set in order to control Maximum > Header length and Maximum Form content size. > > We are running embedded jetty-server-9.4.20.v20190813 and I would like to > control the Maximum Header Length size and Maximum Forrm content size. > > Also, what a potential test scenario would look like. We saw “WARN > HttpParser - Header is too large 8193>8192” in our log file and we would > like to control it. > > > > Thanks, > > > > Ike > = > Please refer to https://northamerica.altran.com/email-disclaimer > for important disclosures regarding this electronic communication. > = > ___ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
Re: [jetty-users] Controlling Maximum Header and Maximum Form content size
Ike, See - https://github.com/eclipse/jetty.project/blob/jetty-9.4.20.v20190813/jetty-server/src/main/java/org/eclipse/jetty/server/HttpConfiguration.java - https://github.com/eclipse/jetty.project/blob/jetty-9.4.20.v20190813/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java#L1687 On Mon, 5 Oct 2020 at 17:49, Eze Ikonne wrote: > Hi all, > > > > I would like to know what method/API to set in order to control Maximum > Header length and Maximum Form content size. > > We are running embedded jetty-server-9.4.20.v20190813 and I would like to > control the Maximum Header Length size and Maximum Forrm content size. > > Also, what a potential test scenario would look like. We saw “WARN > HttpParser - Header is too large 8193>8192” in our log file and we would > like to control it. > > > > Thanks, > > > > Ike > = > Please refer to https://northamerica.altran.com/email-disclaimer > for important disclosures regarding this electronic communication. > = > ___ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > -- Greg Wilkins CTO http://webtide.com ___ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
