[
https://issues.apache.org/jira/browse/FELIX-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13819448#comment-13819448
]
J.W. Janssen commented on FELIX-3362:
-------------------------------------
There is no way to abort an upload from a client, see [this SO
question|http://stackoverflow.com/questions/3107631/how-to-close-a-http-connection-from-the-httpservlet].
Jetty does have [support for "100
Continue"|http://wiki.eclipse.org/Jetty/Feature/1xx_Responses], allowing you to
introspect its content length before continuing. That is, if you can manage
your client to send an "Expect: 100-continue" header, which is not easily
done...
> No possibility to impose an upper limit on the size of a POST request.
> ----------------------------------------------------------------------
>
> Key: FELIX-3362
> URL: https://issues.apache.org/jira/browse/FELIX-3362
> Project: Felix
> Issue Type: Bug
> Components: HTTP Service
> Affects Versions: http-2.2.0
> Environment: apache-karaf-2.2.5
> Reporter: Wolfgang Glas
> Attachments: 20120224-upload-test.zip
>
>
> We have developed a simple file exchange application using OSGi. THe upload
> to this application is using a HTTP upload form field, which creates a large
> multipart POST request.
> During our Q/A sessions, we discovered, that it is impossible to
> intentionally close the network socket, when the upload request exceeds a
> configurable limit.
> We've tried the following approaches
> 1) request.getInputStream().close()
> 2) Throw an IOException in doPost() once the critical length of input data is
> reached.
> 3) Throw a ServletException in doPost()
> 4) Throw a SecurityException in doPost()
> It turned out, that in 1) the close()-Method reads the whole request (may be
> Gigabytes of data...) before actually closing the socket.
> 2), 3) ad 4) seem to wait for the whole request before sending a 500 Internal
> Server Error to the client.
> I will attach a small sample bundle in which the behaviour may be inspected
> in detail.
> We classify this as a security problem, because a malicious user might
> trigger a DDoS attack by just sending a few ultra-large requests to any
> servlet deployed to an OSGi container. It might even suffice to to POST
> ultra-large data to an unknown URL, because the HTTP service first reads all
> the data of the request before issuing 404 Not Found or 400 Method Not
> Supported to the client.
> We'd expect, that the HTTP service closes the network socket, whenever a POST
> request arrives and the consuming servlet throws an exception before the
> whole request has been read from the network socket.
> Furthermore, it should be possible to close the network socket instead of
> issuing 404 Not Found when a POST request hits an unknown URL. This option
> might be turned on by a configuration option.
> TIA for inspecting this issue and best regards, Wolfgang
--
This message was sent by Atlassian JIRA
(v6.1#6144)
