[jira] [Created] (FELIX-3362) No possibility to impose an upper limit on the size of a PSOT request.

Sat, 25 Feb 2012 12:44:11 -0800 

No possibility to impose an upper limit on the size of a PSOT request.
----------------------------------------------------------------------

                 Key: FELIX-3362
                 URL: https://issues.apache.org/jira/browse/FELIX-3362
             Project: Felix
          Issue Type: Bug
          Components: HTTP Service
    Affects Versions: http-2.2.0
         Environment: apache-karaf-2.2.5
            Reporter: Wolfgang Glas


We have developed a simple file exchange application using OSGi. THe upload to 
this application is using a HTTP upload form field, which creates a large 
multipart POST request.

During our Q/A sessions, we discovered, that it is impossible to intentionally 
close the network socket, when the upload request exceeds a configurable limit.

We've tried the following approaches

1) request.getInputStream().close()
2) Throw an IOException in doPost() once the critical length of input data is 
reached.
3) Throw a ServletException in doPost()
4) Throw a SecurityException in doPost()

It turned out, that in 1) the close()-Method reads the whole request (may be 
Gigabytes of data...) before actually closing the socket.

2), 3) ad 4) seem to wait for the whole request before sending a 500 Internal 
Server Error to the client.

I will attach a small sample bundle in which the behaviour may be inspected in 
detail.

We classify this as a security problem, because a malicious user might trigger 
a DDoS attack by just sending a few ultra-large requests to any servlet 
deployed to an OSGi container. It might even suffice to to POST ultra-large 
data to an unknown URL, because the HTTP service first reads all the data of 
the request before issuing 404 Not Found or 400 Method Not Supported to the 
client.

We'd expect, that the HTTP service closes the network socket, whenever a POST 
request arrives and the consuming servlet throws an exception before the whole 
request has been read from the network socket.

Furthermore, it should be possible to close the network socket instead of 
issuing 404 Not Found when a POST request hits an unknown URL. This option 
might be turned on by a configuration option.

  TIA for inspecting this issue and best regards, Wolfgang

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to