Set maximum URL length in Jetty

Phuong Luu Hoang

I looked and found the answer to some people having issue with GET request URL exceeding the maximum length in Jetty is to set the headerBufferSize in jetty.xml to be a bigger number as in this Solr troubleshooting manual and this.

However, I have a hard time to understand what the header buffer size has to do with the request URL's length? If setting headerBufferSize increase request's URL length limit, what does a value of 6 KB to headerBufferSize correspond to the maximum length of the request's URL? The reason I ask because the maximum length of URL imposed by most browsers is around 2000 characters as in What is the maximum length of a URL in different browsers? and headerBufferSize's unit is in Bytes.

Joakim Erdfelt

In a typical POST request you will see the following ...

POST /to/my/path HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Host: https://my.machine.com
Content-Length: 10

Action=Add

Breaking this down:

  • The POST through Content-Length lines are the Request Headers.
    • The POST line is known, in HTTP terminology, as the Request-Line, it contains the method (POST) + abs_path (/to/my/path) + http version (HTTP/1.1)
    • Content-Type - lets us know how the body content is formatted/encoded.
    • Host - lets the server know what host was being accessed (used mainly by virtual host setups)
    • Content-Length - lets us know that there is 10 bytes of body content
  • The Action=Add is the POST body content.

At its heart there are 2 parts of a request or response, the Headers and the Body Content.

When you set the headerBufferSize you are setting the ultimate upper limit for the header content (not body content).

There are a number of abuses / vulnerabilities present when you have unlimited header sizes, ranging from abusive memory consumption, to intentional hashmap collisions resulting in excessive CPU use. Limiting the header buffer sizes limits the scope of these kinds of issues. (these vulnerabilities are not unique to Jetty, but exist for all web servers)

If you are hitting these limits, you should consider evaluating how you are using solr (such as incorrectly using GET when you should be using POST), as increasing the headerBufferSize will also open you up to the various known web vulnerabilities.

Update: Oct 24, 2013

See other answer related to What is the maximum length of a URL

本文收集自互联网,转载请注明来源。

如有侵权,请联系[email protected] 删除。

编辑于
0

我来说两句

0条评论
登录后参与评论

相关文章

来自分类Dev

What is the maximum length for keyword type in elasticsearch?

来自分类Dev

功能测试中的JMockit + Jetty

来自分类Dev

在Jetty中设置最大URL长度

来自分类Dev

从Jetty 7切换到Jetty 9时!asyncSupported异常

来自分类Dev

生产环境下的Jetty 8 vs Jetty 9

来自分类Dev

以编程方式设置Jetty GzipHandler

来自分类Dev

Using Jetty's proxy in standalone Jetty application

来自分类Dev

在独立的Jetty应用程序中使用Jetty的代理

来自分类Dev

Group by with maximum

来自分类Dev

Embedded Jetty and graceful shutdown

来自分类Dev

什么是正确的URL,用于为嵌入式Jetty指定JAR“ resources / webapp”文件夹的ResourceBase?

来自分类Dev

使用jetty-runner运行Jetty时更改端口

来自分类Dev

Calculating the maximum possible length for a string matching a regular expression in xsd (C#)

来自分类Dev

与以下Jersey / Jetty代码等效的CXF / Jetty

来自分类Dev

验证错误的自定义错误消息:在rails上的ruby上的validates_length_of:maximum和:minimum

来自分类Dev

如何加快部署到Jetty?

来自分类Dev

由Jetty提供动力

来自分类Dev

limited minimum and maximum length to email with regex but error

来自分类Dev

使用Jetty 9配置SSL

来自分类Dev

仅Jetty 9 NIO吗?

来自分类Dev

如何从嵌入式Jetty URL中删除尾部斜杠?

来自分类Dev

具有嵌入式Jetty服务的JAX-RS-主页URL

来自分类Dev

当我使用sapply时,“ parse_url(url)中的错误:length(url)== 1不是TRUE”

来自分类Dev

git remote set-url origin的Ansible等效项

来自分类Dev

git如何使用远程存储库的`set-url`

来自分类Dev

git push --mirror和git set-url之间的区别

来自分类Dev

与JUnit和Jetty的集成测试,无法配置url

来自分类Dev

SolrCloud-Jetty与Tomcat

来自分类Dev

何时使用.length和.length()

Related 相关文章

  1. 1

    What is the maximum length for keyword type in elasticsearch?

  2. 2

    功能测试中的JMockit + Jetty

  3. 3

    在Jetty中设置最大URL长度

  4. 4

    从Jetty 7切换到Jetty 9时!asyncSupported异常

  5. 5

    生产环境下的Jetty 8 vs Jetty 9

  6. 6

    以编程方式设置Jetty GzipHandler

  7. 7

    Using Jetty's proxy in standalone Jetty application

  8. 8

    在独立的Jetty应用程序中使用Jetty的代理

  9. 9

    Group by with maximum

  10. 10

    Embedded Jetty and graceful shutdown

  11. 11

    什么是正确的URL,用于为嵌入式Jetty指定JAR“ resources / webapp”文件夹的ResourceBase?

  12. 12

    使用jetty-runner运行Jetty时更改端口

  13. 13

    Calculating the maximum possible length for a string matching a regular expression in xsd (C#)

  14. 14

    与以下Jersey / Jetty代码等效的CXF / Jetty

  15. 15

    验证错误的自定义错误消息:在rails上的ruby上的validates_length_of:maximum和:minimum

  16. 16

    如何加快部署到Jetty?

  17. 17

    由Jetty提供动力

  18. 18

    limited minimum and maximum length to email with regex but error

  19. 19

    使用Jetty 9配置SSL

  20. 20

    仅Jetty 9 NIO吗?

  21. 21

    如何从嵌入式Jetty URL中删除尾部斜杠?

  22. 22

    具有嵌入式Jetty服务的JAX-RS-主页URL

  23. 23

    当我使用sapply时,“ parse_url(url)中的错误:length(url)== 1不是TRUE”

  24. 24

    git remote set-url origin的Ansible等效项

  25. 25

    git如何使用远程存储库的`set-url`

  26. 26

    git push --mirror和git set-url之间的区别

  27. 27

    与JUnit和Jetty的集成测试,无法配置url

  28. 28

    SolrCloud-Jetty与Tomcat

  29. 29

    何时使用.length和.length()

热门标签

归档