Jeanfrancois Arcand wrote:
> Salut,
>
> Vivek Pandey wrote:
>> This bug was reported on glassfish gem. Seems to me like a bug. I
>> guess grizzly should handle it. Should I open an issue on grizzly or
>> glassfish grizzly component or is it a known bug?
>
> I'm not sure it is a bug at all...I suspect Tomcat does the same as it
> looks like a DoS attack (from w3c)
It seems like a log entry should be written at the very least, even if
we are dropping such requests. Maybe a one-time thing? Something like
"Long request detected, ignoring it and future similar requests due to
risk of DoS attack. Use {Some flag} to enable responses to long requests".
>
>
>> The server is refusing to service the request because the Request-URI
>> is longer than the server is willing to interpret. This rare
>> condition is only likely to occur when a client has improperly
>> converted a POST request to a GET request with long query
>> information, when the client has descended into a URI "black hole" of
>> redirection (e.g., a redirected URI prefix that points to a suffix of
>> itself), or when the server is under attack by a client attempting to
>> exploit security holes present in some servers using fixed-length
>> buffers for reading or manipulating the Request-URI.
>
> I don't think we MUST return a 414.
>
> File it as a RFE and we will try to integrate in 1.9.9
>
> Thanks!
>
> -- Jeanfrancois
>
>
>>
>> -vivek.
>>
>>
>> -------- Original Message --------
>> Subject: [ glassfishgem-Bugs-24491 ] Glassfish swallows >8KiB
>> HTTP requests
>> Date: Thu, 12 Mar 2009 12:09:29 -0400 (EDT)
>> From: noreply_at_rubyforge.org
>> Reply-To: issues_at_glassfish-scripting.dev.java.net
>> To: noreply_at_rubyforge.org
>>
>>
>>
>> Bugs item #24491, was opened at 2009-03-12 17:09
>> You can respond by visiting:
>> http://rubyforge.org/tracker/?func=detail&atid=21080&aid=24491&group_id=5450
>>
>>
>> Category: None
>> Group: None
>> Status: Open
>> Resolution: None
>> Priority: 3
>> Submitted By: Xuân Baldauf (mediumnet)
>> Assigned to: Nobody (None)
>> Summary: Glassfish swallows >8KiB HTTP requests
>>
>> Initial Comment:
>> Try to produce a simple HTTP request like
>>
>>
>>
>> GET /foo/bar/loooooooooooooooooooong HTTP/1:0
>>
>> Host: somehost
>>
>>
>>
>>
>>
>> where "loooooooooooooooooooong" has so many 'o' characters such that
>> the whole request has a size >8192 bytes.
>>
>>
>>
>>
>>
>> Then, this HTTP request does not get answered, it gets silently
>> ignored. The TCP connection is closed immediately. No log file entry
>> is written. Note that this happens even if the setting
>> "header-buffer-length-in-bytes" in domains/domain1/config/domain.xml
>> is increased from 8192 to 65536 or so.
>>
>>
>>
>> What should happen is a "HTTP/1.1 414 Request Too Long" response and
>> a log file entry. Additionally, the limit should be changeable.
>>
>>
>>
>> ----------------------------------------------------------------------
>>
>> You can respond by visiting:
>> http://rubyforge.org/tracker/?func=detail&atid=21080&aid=24491&group_id=5450
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> issues-unsubscribe_at_glassfish-scripting.dev.java.net
>> For additional commands, e-mail:
>> issues-help_at_glassfish-scripting.dev.java.net
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe_at_grizzly.dev.java.net
> For additional commands, e-mail: dev-help_at_grizzly.dev.java.net
>