Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[UNDERTOW-2405] CVE-2024-27316 Add system property io.undertow.http2-max-header-size (default value set to 20000) #1604

Merged
merged 3 commits into from
Jun 20, 2024
Merged

[UNDERTOW-2405] CVE-2024-27316 Add system property io.undertow.http2-max-header-size (default value set to 20000) #1604

merged 3 commits into from
Jun 20, 2024

Conversation

fl4via
Copy link
Member

@fl4via fl4via commented Jun 17, 2024

@fl4via fl4via changed the title [UNDERTOW-2405] Update UndertowOptions.DEFAULT_MAX_HEADER_SIZE to 20000 [UNDERTOW-2405] Add system property io.undertow.http2-max-header-size (default value set to 20000) Jun 18, 2024
@fl4via fl4via added bug fix Contains bug fix(es) next release This PR will be merged before next release or has already been merged (for payload double check) labels Jun 18, 2024
@fl4via fl4via force-pushed the UNDERTOW-2405 branch 2 times, most recently from 01e4574 to 6e3ecd9 Compare June 18, 2024 11:37
@fl4via fl4via added the under verification Currently being verified (running tests, reviewing) before posting a review to contributor label Jun 18, 2024
@fl4via
Copy link
Member Author

fl4via commented Jun 18, 2024

This PR is under verification, I am running some tests with WildFly to see what effects we have with the new limit for HTTP2 max header size in some Java EE applications, corner cases, and TCK.

@fl4via fl4via changed the title [UNDERTOW-2405] Add system property io.undertow.http2-max-header-size (default value set to 20000) [UNDERTOW-2405] CVE-2024-27316 Add system property io.undertow.http2-max-header-size (default value set to 20000) Jun 20, 2024
@fl4via
[UNDERTOW-2405] CVE-2024-27316 Remove new max connections per listene…
d798de6 
…r config, we can use high and low watermarks for this

This reverts commit c27c1e4.

Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via
[UNDERTOW-2405] CVE-2024-27316 Create system property io.undertow.htt…
296636d 
…p2-max-header-size, for configuring the maximum size of HTTP2 header sizes, default value set to 20000

Add a test for that new configuration and update affected tests accordingly.
Also: add TODO place holders for new config Undertow.HTTP2_MAX_HEADER_SIZE to be added in Undertow 2.4.0.Final.

Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via
[UNDERTOW-2405] The correct error code to be sent if frame parser ref…
603f276 
…uses more data is PROTOCOL_ERROR

This makes this code consistent with the handling of headers that surpass the max header size limit elsewhere in HTTP2 (see Http2HeaderBlockParser.emitHeader), and the justification is that the max header size must have been handshaken with the peer as part of settings frame, via the SETTINGS_HEADER_TABLE_SIZE parameter.

Signed-off-by: Flavia Rainone <frainone@redhat.com>
@fl4via fl4via added waiting CI check Ready to be merged but waiting for CI check and removed under verification Currently being verified (running tests, reviewing) before posting a review to contributor waiting CI check Ready to be merged but waiting for CI check labels Jun 20, 2024
@fl4via fl4via merged commit 62aef6a into undertow-io:master Jun 20, 2024
34 checks passed
@fl4via fl4via removed the next release This PR will be merged before next release or has already been merged (for payload double check) label Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug fix Contains bug fix(es)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fl4via