Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warnings about "unable to parse form content" are not helpful for troubleshooting #6268

Closed
LIANGQI0811 opened this issue May 13, 2021 · 6 comments
Closed

Warnings about "unable to parse form content" are not helpful for troubleshooting #6268

LIANGQI0811 opened this issue May 13, 2021 · 6 comments
Assignees
@janbartel

Comments

@LIANGQI0811
Copy link

java version "1.8.0_291"
Linux/CentOS 7

Description

I noticed that org.eclipse.jetty.server.Request#getParameters

private MultiMap<String> getParameters()
{
if (!_contentParamsExtracted)
{
// content parameters need boolean protection as they can only be read
// once, but may be reset to null by a reset
_contentParamsExtracted = true;

            // Extract content parameters; these cannot be replaced by a forward()
            // once extracted and may have already been extracted by getParts() or
            // by a processing happening after a form-based authentication.
            if (_contentParameters == null)
            {
                try
                {
                    extractContentParameters();
                }
                catch (IllegalStateException | IllegalArgumentException e)
                {
                    throw new BadMessageException("Unable to parse form content", e);
                }
            }
        }
    .....
}

IllegalStateException will be decorated into BadMessageException
And the Exception Message will be BadMessageException's message.

This is unreasonable.I care about IllegalStateException's message instead of BadMessageException's message!

e.g.
if the body size exceed the limit,extractContentParameters() method will throw IllegalStateException with message Form is larger than max length xxx
and in org.eclipse.jetty.server.Request#getParameters#getParameters() will be be decorated into BadMessageException with message Unable to parse form content
log will print Unable to parse form content not Form is larger than max length xxx
Think Form is larger than max length xxx is more useful than Unable to parse form content
@LIANGQI0811
Copy link
Author

jetty version: 9.4.35

@janbartel
Copy link
Contributor

You probably don't want information about the server configuration (max form size) leaking to clients - could give attackers information.

@LIANGQI0811
Copy link
Author

Of course, can we compromise? For example, print the detailed reason to the debug log

@LIANGQI0811
Copy link
Author

Of course, ERROR log is better

@janbartel
Copy link
Contributor

We could do Log.WARN level with the original message eg "Form is larger than max length xxx". This wouldn't be a full stack trace, as attackers can force this to happen and cause resources on the server to be exhausted (ie gigantic log files).

janbartel added a commit that referenced this issue May 20, 2021
@janbartel
Issue #6268 Log max form size exceeded msg.
ddb7933 
Signed-off-by: Jan Bartel <janb@webtide.com>
@janbartel janbartel mentioned this issue May 20, 2021
Merged
janbartel added a commit that referenced this issue May 20, 2021
@janbartel
Issue #6268 Change after review
03c9665 
Signed-off-by: Jan Bartel <janb@webtide.com>
@janbartel janbartel self-assigned this May 20, 2021
janbartel added a commit that referenced this issue May 25, 2021
@janbartel
Issue #6268 Log max form size exceeded msg. (#6301)
6f148bb 
* Issue #6268 Log max form size exceeded msg.

Signed-off-by: Jan Bartel <janb@webtide.com>
janbartel added a commit that referenced this issue May 25, 2021
@janbartel
Issue #6268 Log max form size exceeded msg. (#6301)
3b55b21 
* Issue #6268 Log max form size exceeded msg.

Signed-off-by: Jan Bartel <janb@webtide.com>
@janbartel janbartel mentioned this issue May 25, 2021
Merged
janbartel added a commit that referenced this issue May 25, 2021
@janbartel
Issue #6268 Log max form size exceeded msg. (#6301) (#6319)
b0cd198 
* Issue #6268 Log max form size exceeded msg.

Signed-off-by: Jan Bartel <janb@webtide.com>
@LIANGQI0811
Copy link
Author

very will,thanks for jetty project team!

@joakime joakime changed the title jetty Exception information prompts unfriendly Warnings about "unable to parse form content" are not helpful for troubleshooting Jun 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@janbartel janbartel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@janbartel @LIANGQI0811