Re: [jetty-users] Controlling Maximum Header and Maximum Form content si

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Controlling Maximum Header and Maximum Form content size

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Tue, 6 Oct 2020 03:57:48 -0500
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

> Also, what a potential test scenario would look like. We saw “WARN HttpParser - Header is too large 8193>8192” in our log file and we would like to control it.

Before you go and make the header larger, know that there is a global probe of systems for vulnerabilities with large headers.

We, Jetty, have a CVE filed for it at CVE-2019-17638

See: https://www.eclipse.org/jetty/security-reports.html

Your version, 9.4.20, is not vulnerable to that header size issue, but it is subject to other security issues, see security-reports link, familiarize yourself with your 9.4.20 scoped security issues at a minimum.

If you want to configure for larger headers at the server side simply to eliminate that warning, know that it will still be there, the vulnerability probes will just keep increasing their header sizes until it triggers a different kind of response. You will continue to get these warnings.

No legitimate (and bug free) client will send headers that large.

Most modern browsers will even fail the request at the browser side before even attempting to send the request with headers that large, as they have internal limits (on overall header table size, individual header size, overall URL size, etc)

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Mon, Oct 5, 2020 at 10:49 AM Eze Ikonne <ike.ikonne@xxxxxxxxxx> wrote:

Hi all,

I would like to know what method/API to set in order to control Maximum Header length and Maximum Form content size.

We are running embedded jetty-server-9.4.20.v20190813 and I would like to control the Maximum Header Length size and Maximum Forrm content size.

Also, what a potential test scenario would look like. We saw “WARN HttpParser - Header is too large 8193>8192” in our log file and we would like to control it.

Thanks,

Ike

=====================================================
Please refer to https://northamerica.altran.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

References:
- [jetty-users] Controlling Maximum Header and Maximum Form content size
  - From: Eze Ikonne

Prev by Date: Re: [jetty-users] Controlling Maximum Header and Maximum Form content size
Next by Date: Re: [jetty-users] Controlling Maximum Header and Maximum Form content size
Previous by thread: Re: [jetty-users] Controlling Maximum Header and Maximum Form content size
Next by thread: [jetty-users] Is it necessary to close session in WebSocketConnectionListener.onWebSocketError ?
Index(es):
- Date
- Thread

Breadcrumbs