You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Wolfgang Glas (Created) (JIRA)" <ji...@apache.org> on 2012/02/25 21:43:48 UTC
[jira] [Created] (FELIX-3362) No possibility to impose an upper
limit on the size of a PSOT request.
No possibility to impose an upper limit on the size of a PSOT request.
----------------------------------------------------------------------
Key: FELIX-3362
URL: https://issues.apache.org/jira/browse/FELIX-3362
Project: Felix
Issue Type: Bug
Components: HTTP Service
Affects Versions: http-2.2.0
Environment: apache-karaf-2.2.5
Reporter: Wolfgang Glas
We have developed a simple file exchange application using OSGi. THe upload to this application is using a HTTP upload form field, which creates a large multipart POST request.
During our Q/A sessions, we discovered, that it is impossible to intentionally close the network socket, when the upload request exceeds a configurable limit.
We've tried the following approaches
1) request.getInputStream().close()
2) Throw an IOException in doPost() once the critical length of input data is reached.
3) Throw a ServletException in doPost()
4) Throw a SecurityException in doPost()
It turned out, that in 1) the close()-Method reads the whole request (may be Gigabytes of data...) before actually closing the socket.
2), 3) ad 4) seem to wait for the whole request before sending a 500 Internal Server Error to the client.
I will attach a small sample bundle in which the behaviour may be inspected in detail.
We classify this as a security problem, because a malicious user might trigger a DDoS attack by just sending a few ultra-large requests to any servlet deployed to an OSGi container. It might even suffice to to POST ultra-large data to an unknown URL, because the HTTP service first reads all the data of the request before issuing 404 Not Found or 400 Method Not Supported to the client.
We'd expect, that the HTTP service closes the network socket, whenever a POST request arrives and the consuming servlet throws an exception before the whole request has been read from the network socket.
Furthermore, it should be possible to close the network socket instead of issuing 404 Not Found when a POST request hits an unknown URL. This option might be turned on by a configuration option.
TIA for inspecting this issue and best regards, Wolfgang
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (FELIX-3362) No possibility to impose an upper
limit on the size of a POST request.
Posted by "Wolfgang Glas (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wolfgang Glas updated FELIX-3362:
---------------------------------
Attachment: 20120224-upload-test.zip
A sample OSGi bundle, which simulates a file-upload servlet, which throws an exception, when the data received reaches a configured maximum.
> No possibility to impose an upper limit on the size of a POST request.
> ----------------------------------------------------------------------
>
> Key: FELIX-3362
> URL: https://issues.apache.org/jira/browse/FELIX-3362
> Project: Felix
> Issue Type: Bug
> Components: HTTP Service
> Affects Versions: http-2.2.0
> Environment: apache-karaf-2.2.5
> Reporter: Wolfgang Glas
> Attachments: 20120224-upload-test.zip
>
>
> We have developed a simple file exchange application using OSGi. THe upload to this application is using a HTTP upload form field, which creates a large multipart POST request.
> During our Q/A sessions, we discovered, that it is impossible to intentionally close the network socket, when the upload request exceeds a configurable limit.
> We've tried the following approaches
> 1) request.getInputStream().close()
> 2) Throw an IOException in doPost() once the critical length of input data is reached.
> 3) Throw a ServletException in doPost()
> 4) Throw a SecurityException in doPost()
> It turned out, that in 1) the close()-Method reads the whole request (may be Gigabytes of data...) before actually closing the socket.
> 2), 3) ad 4) seem to wait for the whole request before sending a 500 Internal Server Error to the client.
> I will attach a small sample bundle in which the behaviour may be inspected in detail.
> We classify this as a security problem, because a malicious user might trigger a DDoS attack by just sending a few ultra-large requests to any servlet deployed to an OSGi container. It might even suffice to to POST ultra-large data to an unknown URL, because the HTTP service first reads all the data of the request before issuing 404 Not Found or 400 Method Not Supported to the client.
> We'd expect, that the HTTP service closes the network socket, whenever a POST request arrives and the consuming servlet throws an exception before the whole request has been read from the network socket.
> Furthermore, it should be possible to close the network socket instead of issuing 404 Not Found when a POST request hits an unknown URL. This option might be turned on by a configuration option.
> TIA for inspecting this issue and best regards, Wolfgang
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (FELIX-3362) No possibility to impose an upper
limit on the size of a POST request.
Posted by "Wolfgang Glas (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wolfgang Glas updated FELIX-3362:
---------------------------------
Summary: No possibility to impose an upper limit on the size of a POST request. (was: No possibility to impose an upper limit on the size of a PSOT request.)
> No possibility to impose an upper limit on the size of a POST request.
> ----------------------------------------------------------------------
>
> Key: FELIX-3362
> URL: https://issues.apache.org/jira/browse/FELIX-3362
> Project: Felix
> Issue Type: Bug
> Components: HTTP Service
> Affects Versions: http-2.2.0
> Environment: apache-karaf-2.2.5
> Reporter: Wolfgang Glas
>
> We have developed a simple file exchange application using OSGi. THe upload to this application is using a HTTP upload form field, which creates a large multipart POST request.
> During our Q/A sessions, we discovered, that it is impossible to intentionally close the network socket, when the upload request exceeds a configurable limit.
> We've tried the following approaches
> 1) request.getInputStream().close()
> 2) Throw an IOException in doPost() once the critical length of input data is reached.
> 3) Throw a ServletException in doPost()
> 4) Throw a SecurityException in doPost()
> It turned out, that in 1) the close()-Method reads the whole request (may be Gigabytes of data...) before actually closing the socket.
> 2), 3) ad 4) seem to wait for the whole request before sending a 500 Internal Server Error to the client.
> I will attach a small sample bundle in which the behaviour may be inspected in detail.
> We classify this as a security problem, because a malicious user might trigger a DDoS attack by just sending a few ultra-large requests to any servlet deployed to an OSGi container. It might even suffice to to POST ultra-large data to an unknown URL, because the HTTP service first reads all the data of the request before issuing 404 Not Found or 400 Method Not Supported to the client.
> We'd expect, that the HTTP service closes the network socket, whenever a POST request arrives and the consuming servlet throws an exception before the whole request has been read from the network socket.
> Furthermore, it should be possible to close the network socket instead of issuing 404 Not Found when a POST request hits an unknown URL. This option might be turned on by a configuration option.
> TIA for inspecting this issue and best regards, Wolfgang
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FELIX-3362) No possibility to impose an upper
limit on the size of a POST request.
Posted by "Wolfgang Glas (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FELIX-3362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13240277#comment-13240277 ]
Wolfgang Glas commented on FELIX-3362:
--------------------------------------
Did anybody have the time to review this issue?
Best regards, Wolfgang
> No possibility to impose an upper limit on the size of a POST request.
> ----------------------------------------------------------------------
>
> Key: FELIX-3362
> URL: https://issues.apache.org/jira/browse/FELIX-3362
> Project: Felix
> Issue Type: Bug
> Components: HTTP Service
> Affects Versions: http-2.2.0
> Environment: apache-karaf-2.2.5
> Reporter: Wolfgang Glas
> Attachments: 20120224-upload-test.zip
>
>
> We have developed a simple file exchange application using OSGi. THe upload to this application is using a HTTP upload form field, which creates a large multipart POST request.
> During our Q/A sessions, we discovered, that it is impossible to intentionally close the network socket, when the upload request exceeds a configurable limit.
> We've tried the following approaches
> 1) request.getInputStream().close()
> 2) Throw an IOException in doPost() once the critical length of input data is reached.
> 3) Throw a ServletException in doPost()
> 4) Throw a SecurityException in doPost()
> It turned out, that in 1) the close()-Method reads the whole request (may be Gigabytes of data...) before actually closing the socket.
> 2), 3) ad 4) seem to wait for the whole request before sending a 500 Internal Server Error to the client.
> I will attach a small sample bundle in which the behaviour may be inspected in detail.
> We classify this as a security problem, because a malicious user might trigger a DDoS attack by just sending a few ultra-large requests to any servlet deployed to an OSGi container. It might even suffice to to POST ultra-large data to an unknown URL, because the HTTP service first reads all the data of the request before issuing 404 Not Found or 400 Method Not Supported to the client.
> We'd expect, that the HTTP service closes the network socket, whenever a POST request arrives and the consuming servlet throws an exception before the whole request has been read from the network socket.
> Furthermore, it should be possible to close the network socket instead of issuing 404 Not Found when a POST request hits an unknown URL. This option might be turned on by a configuration option.
> TIA for inspecting this issue and best regards, Wolfgang
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira