0

I have made an HTTP server, and here are some questions. Let's say - when server is receiving HTTP header - it is also counting data received size. If some hacker trying to send let's say header which is 100 MB, and server is configured to accept up to 1 MB header - how to proceed in this situation? I can close connection, or break this loop and send response with some error code:

 BufferedInputStream is = new BufferedInputStream(socket.getInputStream(), 2048);

 int read;
 while ((read = is.read(bufferData, 0, 2048)) != -1) {
    //If header too long - what to do? Break and close connection or just break and send response?
 }

If I suddenly stop receiving data (while client is still transmitting) - and then will begin write some date to OutputStream - what would happen?

Ernestas Gruodis
  • 8,567
  • 14
  • 55
  • 117
  • Depends how robust server you want. Perhaps you should limit the size to some limit, e.g. 2k, 4k or 16k - whatever is your choice. – gaborsch Mar 10 '14 at 18:43
  • He will receive connection peer reset error. And your code does not handle this connection anymore. – Leos Literak Mar 10 '14 at 18:43

1 Answers1

1

You should send back an HTTP Error. I would recommend status code 400: Bad Request or status code 431 (credit to Julian below for pointing this one out). You could use an integer in your loop to keep track and make sure you haven't run over your limit.

To handle this, I would just stop reading data. You typically want to close all your streams together so I would throw an exception to break out of the loop and in the catch block send back the error code. Handle closing connections in the finally block.

Nathan
  • 2,093
  • 3
  • 20
  • 33
  • But how to send - just stop to receive data (while all data sill not received)? – Ernestas Gruodis Mar 10 '14 at 18:44
  • So then the client will notice that the data have been stopped receiving by server and will wait for server response? – Ernestas Gruodis Mar 10 '14 at 18:50
  • I found the answer [here](http://stackoverflow.com/questions/14250991/is-it-acceptable-for-a-server-to-send-a-http-response-before-the-entire-request?rq=1). But the question is not answered still.. RFC states, but browsers do not behave like that... – Ernestas Gruodis Mar 10 '14 at 19:04
  • You could just read to end but ignore and data past your buffer length, then return the error when you're at the end of the stream. It may not be as pretty a solution, but it should be compatible with any browser. – Nathan Mar 10 '14 at 19:53
  • But if hacker sending continuous data without stopping? I will do some experiments later, and will see. – Ernestas Gruodis Mar 10 '14 at 20:06
  • 1
    You can always add a failover (say, 4 times your maximum buffer) to distinguish between "this person accidentally sent too much data" and "this may be malicious". When you hit the malicious threshhold, throw an exception and do whatever security measure you think is necessary. – Nathan Mar 10 '14 at 23:40
  • I did some testings, and found that connection in such case MUST be closed after error was sent. It is also mentioned in RFC2616 - 8.2.2 Monitoring Connections for Error Status Messages – Ernestas Gruodis Mar 14 '14 at 08:33
  • Also, before sending an error, I did `inputStream.skip(inputStream.available());` – Ernestas Gruodis Mar 14 '14 at 10:07