users@jersey.java.net

Denial Of Service attacks with gigabytes of form data?

From: Harald Kirsch <Harald.Kirsch_at_pifpafpuf.de>
Date: Sun, 20 Jul 2008 09:43:07 +0200

Hello,

using jersey for the first time in an experimental application, I
stumbled over a potential denial of service (DOS) attack against @POST
resources. What happens if a user sends gigabytes of data? It seems that
the body is parsed completely before my resource class or method would
even see the data. By that time an OutOfMemory exception has certainly
happened already.

Is there a parameter somewhere to limit the size of message bodies taken
into account?

Thanks,
Harald.

-- 
--------------+---------------------------------------------
Harald Kirsch | Harald.Kirsch[bei]pifpafpuf.de 0163/240 vierzig 52