You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Adwait Kumar Singh <ad...@gmail.com> on 2023/11/25 01:43:48 UTC
Using Async Servlets correctly to avoid smuggling.
Hey Tomcat users,
I am using Async Servlets and have a question on how to safeguard my
application from Request Smuggling.
In my current setup I do the following,
1. `startAsync` on the ServletRequest.
2. Create a ReadListener and attach it to the ServletInputStream.
3. Once I have read the entire request, and onAllDataRead is invoked I
forward the original ServletRequest and ServletResponse to other parts of
my application for further processing in a separate threadpool.
4. Once all processing is done, close the async context.
Now the dilemma I am facing is since other parts of my application still
hold a reference to the ServletRequest and ServletResponse, which can
potentially be recycled if there is an error and thereby cause request
smuggling.
What's the ideal way to safeguard against this? Should I instead pass the
AsyncContext and always fetch the ServletRequest and ServletResponse from
it instead of passing the original references.
Thanks,
Adwait.
Re: Using Async Servlets correctly to avoid smuggling.
Posted by Mark Thomas <ma...@apache.org>.
On 25/11/2023 01:43, Adwait Kumar Singh wrote:
> Hey Tomcat users,
>
> I am using Async Servlets and have a question on how to safeguard my
> application from Request Smuggling.
>
> In my current setup I do the following,
>
> 1. `startAsync` on the ServletRequest.
> 2. Create a ReadListener and attach it to the ServletInputStream.
> 3. Once I have read the entire request, and onAllDataRead is invoked I
> forward the original ServletRequest and ServletResponse to other parts of
> my application for further processing in a separate threadpool.
> 4. Once all processing is done, close the async context.
>
> Now the dilemma I am facing is since other parts of my application still
> hold a reference to the ServletRequest and ServletResponse, which can
> potentially be recycled if there is an error and thereby cause request
> smuggling.
>
> What's the ideal way to safeguard against this? Should I instead pass the
> AsyncContext and always fetch the ServletRequest and ServletResponse from
> it instead of passing the original references.
Ideal is going to vary depending on circumstance but passing the
AsyncContext would work.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org