Re: OOM by huge header size attack: setResponseHeaderSize won't work

I’ve moved further discussion of this issue to secur...@nifi.apache.org . Andy LoPresto alopre...@apache.org alopresto.apa...@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Mar 23, 2017, at 10:26 AM, Ke Yang (Conan)

OOM by huge header size attack: setResponseHeaderSize won't work

Folks, We use NiFi which embeds Jetty Server. Our test team found a security bug by intercepting the http request and replacing the header with a huge (say 1GB) text, which sent the response to NCM, which got OOM: 2017-03-07 03:44:03,522 WARN [NiFi Web Server-22]