@ngocdaothanh
Thanks #656 and it enabled to prevent single big file request.
But there are some vulnerability.
I want to allow user to upload big file and prevent evil request.
Is there any way to protect service from those evil scenario?
- Evil Scenario 1:
Many requests less than maxSizeInMB at same time.
xitrum.conf
request {
maxSizeInMB = 1024
maxSizeInKBOfUploadMem = 16
}
Using not isAPPLICATION_X_WWW_FORM_URLENCODED_or_MULTIPART_FORM_DATA header with less than 1024MB body at same time.
cmd="printf \"ttt=%01000000000d\" 0 | curl -X POST http://localhost:8000/xxx -H \"Content-Type: application/xml\" -d @-"
bash -c $cmd & bash -c $cmd & bash -c $cmd & bash -c $cmd & bash -c $cmd & bash -c $cmd & bash -c $cmd & bash -c $cmd &
...
- Evil Scenario 2:
Too many small file less than maxSizeInKBOfUploadMem in one request.
xitrum.conf(Unrealistic value to make it easier to reproduce)
request {
maxSizeInMB = 10240
maxSizeInKBOfUploadMem = 1024000
}
curl -X POST http://localhost:8000 -F "1=@tmp.dat" -F "2=@tmp.dat" -F "3=@tmp.dat" -F "4=@tmp.dat" -F "5=@tmp.dat" -F "6=@tmp.dat" -F "7=@tmp.dat" -F "8=@tmp.dat" -F "9=@tmp.dat" -F "10=@tmp.dat"
@ngocdaothanh
Thanks #656 and it enabled to prevent single big file request.
But there are some vulnerability.
I want to allow user to upload big file and prevent evil request.
Is there any way to protect service from those evil scenario?
Many requests less than
maxSizeInMBat same time.xitrum.conf
Using not
isAPPLICATION_X_WWW_FORM_URLENCODED_or_MULTIPART_FORM_DATAheader with less than 1024MB body at same time.Too many small file less than
maxSizeInKBOfUploadMemin one request.xitrum.conf(Unrealistic value to make it easier to reproduce)