Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Header too large

John,

It is always difficult with bad requests to know what info should be logged and/or included in error messages and exceptions.   If it is the header name itself that is large, then logging it may become a DOS vector as it can fill up file systems etc.  Then they can include bad characters that can be some form of other attack as well.

Thus we tend to avoid including user provided data in warnings.   We still do in some places, but over time we get security warnings about them and remove them.

cheers




On Sat, 1 Feb 2025 at 16:24, John English via jetty-users <jetty-users@xxxxxxxxxxx> wrote:
On 01/02/2025 16:45, Greg Wilkins via jetty-users wrote:
>
> Jan,
>
> I don't think request logging will help, as the request has been
> rejected already.
>
> John,
>
> You could turn on debug for HttpParser, which would be a little verbose,
> but would certainly eventually tell you the header.
>
> Other than that, you are probably best to make a custom version of that
> class in jetty that dumps the info you want before that error message.

OK, thanks.

A suggestion for a future version: perhaps make such warnings a bit more
informative?

--
John English

--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users


--

Back to the top