Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
http-2.2.0
-
None
-
apache-karaf-2.2.5
Description
We have developed a simple file exchange application using OSGi. THe upload to this application is using a HTTP upload form field, which creates a large multipart POST request.
During our Q/A sessions, we discovered, that it is impossible to intentionally close the network socket, when the upload request exceeds a configurable limit.
We've tried the following approaches
1) request.getInputStream().close()
2) Throw an IOException in doPost() once the critical length of input data is reached.
3) Throw a ServletException in doPost()
4) Throw a SecurityException in doPost()
It turned out, that in 1) the close()-Method reads the whole request (may be Gigabytes of data...) before actually closing the socket.
2), 3) ad 4) seem to wait for the whole request before sending a 500 Internal Server Error to the client.
I will attach a small sample bundle in which the behaviour may be inspected in detail.
We classify this as a security problem, because a malicious user might trigger a DDoS attack by just sending a few ultra-large requests to any servlet deployed to an OSGi container. It might even suffice to to POST ultra-large data to an unknown URL, because the HTTP service first reads all the data of the request before issuing 404 Not Found or 400 Method Not Supported to the client.
We'd expect, that the HTTP service closes the network socket, whenever a POST request arrives and the consuming servlet throws an exception before the whole request has been read from the network socket.
Furthermore, it should be possible to close the network socket instead of issuing 404 Not Found when a POST request hits an unknown URL. This option might be turned on by a configuration option.
TIA for inspecting this issue and best regards, Wolfgang