Different behaviour with maxFormContentSize=0 if Content-Length header is present/missing #3856
Comments
|
See point 6 in RFC7230 3.3.3, I think this indicates that if you want to have content in a request, then you need a content-length header (or a transfer encoding). Are you sure that without a content-length that Curl is not chunk encoding the message body? Can you show us the full headers of a request that fails? |
|
Hi Greg,
okay, i can get that, so the parameters or not parsed, then, but why is the Body-InputStream checked against this then, and throw a "Form too large"? HTTP2: HTTP1.1: Thanks, Georg |
|
Georg, So without a content-length, HTTP/1.1 should conclude that there is no body to the request. This risk here is that any data sent as the body of the request will then be interpreted as the next request on the connection. In short, send content-length. But we will investigate what we are doing if there is no content-length. @sbordet thoughts? |
|
@gregw thanks, so far! |
|
@gregw yes this behavior looks strange, so needs investigation. |
|
I cannot reproduce, as it always works for me. I am using At this point we need an exact way to reproduce, including the server side. The error 400 that you get may be due to something else. |
|
i'll try to do wrap it in a test case, is there a good point / example where to put in the jetty code? |
|
Please zip it and attach it here. |
|
http2-max-form-size-test-master.zip it seems to be connected to how we initialize the jetty ServletContextHandler, in our default the _maxFormContentSize/_maxFormKeys is set to 0 and it behaves the same in http1.1/http2 i'm bit puzzeled, why i had this different behavior ... but i would expect, if maxFormContentSize = 0, the form is still to large if the content-length is set .... |
|
@gbu-censhare with your reproducer project, I can see the same behavior for HTTP/1.1 and HTTP/2, but a different behavior depending on whether the So we'll make sure the behavior is consistent with regards to |
|
Yes, please, i don't know why i misinterpreted in the first place and thanks :) |
sbordet
changed the title
|
@gbu-censhare can you please build and try branch |
…t-Length header is present/missing. Changes after review. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
|
@sbordet thanks, looks good to me! |
…t-Length header is present/missing. Updated code to reflect reviews. Now lookup of system properties and server attributes is done in ContextHandler.doStart(), so that the getter always return the actual value (and this is good for JMX too). Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
…t-Length header is present/missing. Changed the logic to lookup server attributes if there is no context. This fixes a failing test that was explicitly setting the server attributes after start. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
…t-Length header is present/missing. Removed duplicated, unused, code. Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
…tLength_behavior Fixes #3856 - Different behaviour with maxFormContentSize=0 if Content-Length header is present/missing.
Hi,
with jetty 9.4.19 some visitors cannot post on our website anymore whe HTTP 2 is in use.
from our tests it works fine as long as a "content-length" header is supplied. if this header is missing it is still working with HTTP 1.1, but not with HTTP 2
it seems the the inputstream of UrlEncoded.decodeUtf8To reads some bytes if HTTP 2 is used but not in HTTP 1.1.
this breaks as soon as HttpServletRequest.getParameters() is called.
if i interpreted the RFCs right the content-length header is not required.
curl 'https://localhost/' -H 'Content-Length:' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'login=user&password=pass' --compressed -D - -q -o /dev/null --http1.1The text was updated successfully, but these errors were encountered: