[
https://issues.apache.org/jira/browse/FELIX-6774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17949973#comment-17949973
]
Paul Rütter commented on FELIX-6774:
------------------------------------
[~cziegeler] given the possible security implications, can you take a look at
this soon as possible?
Maybe i'm just misunderstanding what `maxFormSize` does.
> `org.apache.felix.http.jetty.maxFormSize` not enforced
> ------------------------------------------------------
>
> Key: FELIX-6774
> URL: https://issues.apache.org/jira/browse/FELIX-6774
> Project: Felix
> Issue Type: Bug
> Components: HTTP Service
> Reporter: Paul Rütter
> Priority: Major
> Labels: security
>
> |{{org.apache.felix.http.jetty.maxFormSize}}|The maximum size accepted for a
> form post, in bytes. Defaults to 200 KB.|
> Although this doesn't seem to be enforced. Not sure if this is a Felix HTTP
> bug, or a Jetty bug. I managed to reproduce this on Jetty 11 and Jetty 12.
> When configuring {{{}org.apache.felix.http.jetty.maxFormSize{}}}, in code the
> following is performed:
> context.setMaxFormContentSize(this.config.getMaxFormSize());
> But when setting this option, i'm still able to perform POST requests with a
> body larger than the specified size. I will add a branch with an IT where
> this is demonstrated, as well as a branch with a proposed fix.
> According to [Jetty
> documentation|https://jetty.org/docs/jetty/12/programming-guide/security/configuring-form-size.html]
> that should be sufficient to limit any form uploads in size. Related
> https://github.com/jetty/jetty.project/issues/8086#issuecomment-1142502052
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
