Using Tomcat or Spring to check if content-length header is set correctly in request

Question

In broader context, we would like to limit the size of a messages a client can send to the server by http post request.

I would like to do this by using http header content-length. So I don't have to read the full body, just check this header, and reject the request, if content-length is too large, also reject if content-lenght is missing (http 411 error code)

So I want to be sure that the actual size of message body is the same as set in content-length of the request.

The question is if Tomcat or Spring MVC (my stack) does a validate if the content-lenght is actually represents the reals size of the message body?

(This should be quite easy to implement it with a filter, just wondering if a servlet container, or spring dispatcher servlet does not do like this out of the box.)

I think the filter method would be the way to go - that is a bit of a specialized use case and neither of Tomcat or Spring does this by default. — stdunbar, May 18 '16 at 14:52
Don't forget that there is [Chunked transfer encoding](https://en.wikipedia.org/wiki/Chunked_transfer_encoding) — Ilya, May 18 '16 at 16:33
If it doesn't, it absolutely should. Potential attack vector for DDOS. — christopher, May 19 '16 at 07:36
Thx @Ilya - chunked requests we will reject automatically here. — csviri, May 19 '16 at 07:36
@stdunbar - My use case is special, however in general, it could be done to check if the message body is really the size that is in content-lenght, anyway if you put it as an answer I accept it, thx! — csviri, May 19 '16 at 07:37
@christopher, yes agree, our intention is basically to prevent that, with this. — csviri, May 19 '16 at 07:38
Found this, what is related, but does not solve the problem: http://stackoverflow.com/questions/14075287/does-maxpostsize-apply-to-multipart-form-data-file-uploads — csviri, May 20 '16 at 13:52

score 4 · Answer 1 · answered Aug 09 '16 at 14:24

4

Tomcat handles it.

After made some test on a simple web app with cases:

If content-lenght is not present it will read 0 bytes from content.
If we have longer content than provided in content-lenght header, with keep-alive true, then after reading the the body of a size content lenght, it will try to process the remaining body as a new request (and will fail with bad request)
in the same situation as in point 2, just the keep alive is false, we will still just receive body of length as in content-length header.

answered Aug 09 '16 at 14:24

csviri

1,159
3
16
31

can you point to docs or source showing how/where Tomcat handles it? thanks – Justin Dec 24 '17 at 15:17
I was not searching for it in source code, I was just testing it with nc and other fancy command line tools. – csviri Jan 03 '18 at 11:49
How about if the content is smaller than the content-length? – Glenn Bech Jan 18 '18 at 20:39
I did not try it recently, probably there will be blocking wait for data – csviri Feb 12 '18 at 12:21

Using Tomcat or Spring to check if content-length header is set correctly in request

1 Answers1