I suspect the length checks are there as you say because of DOS protection but they don't exist in other servlets in Shindig. As a general rule DOS protections like these should be a cross-cutting feature like a servlet filter or a capability in your reverse-proxy rather than embedded in individual servlets. Im inclined just to remove it. Anyone else have an opinion on this
On Thu, Sep 17, 2009 at 10:47 AM, David Boyer <[email protected]> wrote: > When I hit RpcServlet(gadgets-metadata) with a POST that has > Transfer-Encoding chunked the server returns a 411 Length Required. > Problem is the http 1.1 spec says that Content-Length should not be > there, and more importantly Content-Length must be ignored if the > Transfer-Encoding is present and has a value other than identity. > > I've done a basic search of the mailing list and I can't see why the > length checks are present, but I suspect they are some basic DOS > protection. Just to give additional information all of my posted > content to /gadgets/metadata have had Content-Length settings in the > range of 210-220. The check if the content length is too long is > 1024*128. Seems to be a check to avoid malformed or maliciously > formed POSTS. I suspect there are issues around transfer-encoding > where someone could choke a server with extremely large POST entity > requests. So RpcServlet may have avoided that issue, but did so by > breaking the http 1.1 spec. > > Attached are a unit test (JUnit 3, requires httpclient 3.1) and a > patch file that causes the test to pass. I don't believe that this is > necessarily the right fix, but to know that I would have to know why > the checks are there. > > Can anyone shed any light on this issue? > -- > David S Boyer (IBM Jazz Web UI Foundation) > [email protected] > 703.499.8728(h) > 703.408.5395(m) >
