在Jetty中设置最大URL长度 [英] Set maximum URL length in Jetty
问题描述
我查看了一下,发现有些人遇到的问题是GET请求URL超过Jetty的最大长度,这是将jetty.xml中的headerBufferSize设置为一个更大的数字,如在不同浏览器中,URL的最大长度是多少?并且headerBufferSize的单位以字节为单位.
在典型的POST请求中,您将看到以下内容...
POST /to/my/path HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Host: https://my.machine.com
Content-Length: 10
Action=Add
打破这一点:
- 通过Content-Length行的POST是请求标头.
- 在HTTP术语中,
POST行被称为请求行,其中包含方法(POST)+ abs_path(/to/my/path)+ http版本(HTTP/1.1) -
Content-Type-让我们知道正文内容是如何格式化/编码的. -
Host-让服务器知道正在访问哪个主机(主要由虚拟主机设置使用) -
Content-Length-让我们知道正文内容有10个字节
- 在HTTP术语中,
-
Action=Add是POST正文内容.
本质上,请求或响应包括标题和正文内容两部分.
设置headerBufferSize时,将设置标题内容(而不是正文内容)的最终上限.
当您具有不受限制的标头大小时,存在许多滥用/漏洞,范围从滥用内存消耗到故意的哈希映射冲突(导致过度使用CPU).限制头缓冲区的大小限制了这类问题的范围. (这些漏洞不是Jetty独有的,而是所有Web服务器都存在)
如果达到这些限制,则应考虑评估如何使用solr(例如,当您应该使用POST时错误地使用GET),因为增加headerBufferSize也将使您暴露于各种已知的Web漏洞. /p>
更新时间:2013年10月24日
查看与 URL的最大长度有关的其他答案
I looked and found the answer to some people having issue with GET request URL exceeding the maximum length in Jetty is to set the headerBufferSize in jetty.xml to be a bigger number as in this Solr troubleshooting manual and this.
However, I have a hard time to understand what the header buffer size has to do with the request URL's length? If setting headerBufferSize increase request's URL length limit, what does a value of 6 KB to headerBufferSize correspond to the maximum length of the request's URL? The reason I ask because the maximum length of URL imposed by most browsers is around 2000 characters as in What is the maximum length of a URL in different browsers? and headerBufferSize's unit is in Bytes.
In a typical POST request you will see the following ...
POST /to/my/path HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Host: https://my.machine.com
Content-Length: 10
Action=Add
Breaking this down:
- The POST through Content-Length lines are the Request Headers.
- The
POSTline is known, in HTTP terminology, as the Request-Line, it contains the method (POST) + abs_path (/to/my/path) + http version (HTTP/1.1) Content-Type- lets us know how the body content is formatted/encoded.Host- lets the server know what host was being accessed (used mainly by virtual host setups)Content-Length- lets us know that there is 10 bytes of body content
- The
- The
Action=Addis the POST body content.
At its heart there are 2 parts of a request or response, the Headers and the Body Content.
When you set the headerBufferSize you are setting the ultimate upper limit for the header content (not body content).
There are a number of abuses / vulnerabilities present when you have unlimited header sizes, ranging from abusive memory consumption, to intentional hashmap collisions resulting in excessive CPU use. Limiting the header buffer sizes limits the scope of these kinds of issues. (these vulnerabilities are not unique to Jetty, but exist for all web servers)
If you are hitting these limits, you should consider evaluating how you are using solr (such as incorrectly using GET when you should be using POST), as increasing the headerBufferSize will also open you up to the various known web vulnerabilities.
Update: Oct 24, 2013
See other answer related to What is the maximum length of a URL
这篇关于在Jetty中设置最大URL长度的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
