You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shindig.apache.org by "Paul Lindner (JIRA)" <ji...@apache.org> on 2009/10/15 09:37:31 UTC
[jira] Resolved: (SHINDIG-1096) Need a more accurate content length
check
[ https://issues.apache.org/jira/browse/SHINDIG-1096?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul Lindner resolved SHINDIG-1096.
-----------------------------------
Resolution: Duplicate
Fix Version/s: 1.1-BETA4
See SHINDIG-1186 |
> Need a more accurate content length check
> -----------------------------------------
>
> Key: SHINDIG-1096
> URL: https://issues.apache.org/jira/browse/SHINDIG-1096
> Project: Shindig
> Issue Type: Bug
> Components: Java
> Reporter: chirag shah
> Fix For: 1.1-BETA4
>
>
> Inside org.apache.shindig.gadgets.servlet.RpcServlet.java
> It's possible for the value of request.getContentLength() to be a reasonable value and for the actual size of the post body to be something ridiculous (1GB+)
> As you can see, this can lead to some interesting out-of-memory issues since the damage is already done before the check body.length != length.
> I propose that we eliminate the content-length check (it's not required by the http 1.1 spec) and check the actual length of the post body.
> Snippet from RpcServlet:
> int length = request.getContentLength();
> if (length <= 0) {
> logger.info("No Content-Length specified.");
> response.setStatus(HttpServletResponse.SC_LENGTH_REQUIRED);
> return;
> }
> if (length > POST_REQUEST_MAX_SIZE) {
> logger.info("Request size too large: " + length);
> response.setStatus(HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE);
> return;
> }
> ServletInputStream is = request.getInputStream();
> byte[] body = IOUtils.toByteArray(is);
> if (body.length != length) {
> logger.info("Wrong size. Length: " + length + " real: " + body.length);
> response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
> return;
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.