PQ59426: WAS PLUGIN DOES NOT HAVE CAPABILITY TO LIMIT THE REQUEST BODY

APAR status
Closed as program error.

Error description
IHS/Apache have LimitRequestBody directive. and returns 413
error(Request entity too large) when request body is larger than
LimitRequestBody. and It is vary popular way to protect "Denial
of Service" attack.
.
However, this directive does not effect WAS plugin module.
WAS plugin modules should have same functionality itself.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server 4.0 users of    *
*                 the webserver plugins.                       *
****************************************************************
* PROBLEM DESCRIPTION: The plugin did not restrict the size    *
*                      of the POST data that it would attempt  *
*                      to read from the client.                *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The plugin needed to protect itself from clients attempting
to send very large POST content.  Most of the webservers
allow the user to set this at the webserver level but this
just allows for an extra layer of protection.
Problem conclusion
Allow the user to configure an upper limit on the size of POST
content that can be sent from the client.  The default is now
10 megabytes of POST content. The limit can be configured at
the server group level in the plugin-cfg.xml with the
attribute PostSizeLimit.  The value specified is in bytes.
Temporary fix Comments
APAR information
APAR number PQ59426
Reported component name WEBSPHERE AE NT
Reported component ID 5630A2201
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-03-28
Closed date 2002-04-25
Last modified date 2002-11-01

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
PLUGIN          

Fix information
Fixed component name WEBSPHERE AE NT
Fixed component ID 5630A2201

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ59426
IBM Group: Software Group
Modified date: Nov 1, 2002