367638: 361316: protected multipart filter from DoS
This commit is contained in:
Greg Wilkins
parent
d66f45f2da
commit
d0b81a185c
|
|
@ -75,6 +75,9 @@ import org.eclipse.jetty.util.resource.Resource;
|
||||||
* <p>
|
* <p>
|
||||||
* If the context init parameter "org.eclipse.jetty.server.context.ManagedAttributes" is set to a comma separated list of names, then they are treated as
|
* If the context init parameter "org.eclipse.jetty.server.context.ManagedAttributes" is set to a comma separated list of names, then they are treated as
|
||||||
* context attribute names, which if set as attributes are passed to the servers Container so that they may be managed with JMX.
|
* context attribute names, which if set as attributes are passed to the servers Container so that they may be managed with JMX.
|
||||||
|
* <p>
|
||||||
|
* The maximum size of a form that can be processed by this context is controlled by the system properties org.eclipse.jetty.server.Request.maxFormKeys
|
||||||
|
* and org.eclipse.jetty.server.Request.maxFormContentSize. These can also be configured with {@link #setMaxFormContentSize(int)} and {@link #setMaxFormKeys(int)}
|
||||||
*
|
*
|
||||||
* @org.apache.xbean.XBean description="Creates a basic HTTP context"
|
* @org.apache.xbean.XBean description="Creates a basic HTTP context"
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,13 @@ import org.eclipse.jetty.util.TypeUtil;
|
||||||
* <p>
|
* <p>
|
||||||
* If the init parameter "delete" is set to "true", any files created will be deleted when the
|
* If the init parameter "delete" is set to "true", any files created will be deleted when the
|
||||||
* current request returns.
|
* current request returns.
|
||||||
|
* <p>
|
||||||
|
* The init parameter maxFormKeys sets the maximum number of keys that may be present in a
|
||||||
|
* form (default set by system property org.eclipse.jetty.server.Request.maxFormKeys or 1000) to protect
|
||||||
|
* against DOS attacks by bad hash keys.
|
||||||
|
* <p>
|
||||||
|
* The init parameter deleteFiles controls if uploaded files are automatically deleted after the request
|
||||||
|
* completes.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public class MultiPartFilter implements Filter
|
public class MultiPartFilter implements Filter
|
||||||
|
|
@ -69,6 +76,7 @@ public class MultiPartFilter implements Filter
|
||||||
private boolean _deleteFiles;
|
private boolean _deleteFiles;
|
||||||
private ServletContext _context;
|
private ServletContext _context;
|
||||||
private int _fileOutputBuffer = 0;
|
private int _fileOutputBuffer = 0;
|
||||||
|
private int _maxFormKeys = Integer.getInteger("org.eclipse.jetty.server.Request.maxFormKeys",1000).intValue();
|
||||||
|
|
||||||
/* ------------------------------------------------------------------------------- */
|
/* ------------------------------------------------------------------------------- */
|
||||||
/**
|
/**
|
||||||
|
|
@ -82,6 +90,9 @@ public class MultiPartFilter implements Filter
|
||||||
if(fileOutputBuffer!=null)
|
if(fileOutputBuffer!=null)
|
||||||
_fileOutputBuffer = Integer.parseInt(fileOutputBuffer);
|
_fileOutputBuffer = Integer.parseInt(fileOutputBuffer);
|
||||||
_context=filterConfig.getServletContext();
|
_context=filterConfig.getServletContext();
|
||||||
|
String mfks = filterConfig.getInitParameter("maxFormKeys");
|
||||||
|
if (mfks!=null)
|
||||||
|
_maxFormKeys=Integer.parseInt(mfks);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* ------------------------------------------------------------------------------- */
|
/* ------------------------------------------------------------------------------- */
|
||||||
|
|
@ -134,7 +145,7 @@ public class MultiPartFilter implements Filter
|
||||||
String content_transfer_encoding=null;
|
String content_transfer_encoding=null;
|
||||||
|
|
||||||
|
|
||||||
outer:while(!lastPart)
|
outer:while(!lastPart && params.size()<_maxFormKeys)
|
||||||
{
|
{
|
||||||
String type_content=null;
|
String type_content=null;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue