@@ -42,24 +42,54 @@ public class SimpleRPCHttpServlet extends HttpServlet {
4242
4343 protected Set runnables = new HashSet ();
4444
45+ protected long postLimit = 0x1000000 ; // 16 * 1024 * 1024 // 16M!
46+
47+ protected boolean supportXSS = true ;
48+
49+ /*
50+ * should never be bigger than 10!
51+ * each part will be an HTTP connection!
52+ */
53+ protected int xssPartLimit = 128 ; // 8k * 128 = 1M, for IE it will 2k * 128 = 256k
54+
55+ protected long xssLatency = 60 * 1000 ; // 60s to send a request?
56+
4557 protected long maxPostLimit () {
46- return 0x1000000 ; // 16 * 1024 * 1024 // 16M!
58+ return postLimit ;
4759 }
4860
61+ /**
62+ * Return support cross site script request or not.
63+ *
64+ * If cross site script is supported, http log format should be modified
65+ * so those requests are not logged.
66+ * If Apache httpd server is used, you can modify httpd.conf as following:
67+ * <pre>
68+ * LogFormat "%h %l %u %t \"%m %U %H\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" noquery
69+ * ...
70+ * CustomLog logs/dummy-host.example.com-access_log noquery
71+ * </pre>
72+ * Or use SetEnvIf
73+ * <pre>
74+ * SetEnvIf Request_URI "^/your-url" dontlog
75+ * CustomLog logs/dummy-host.example.com-access_log combined env=!dontlog
76+ * </pre>
77+ *
78+ * @see http://httpd.apache.org/docs/2.0/mod/mod_log_config.html
79+ * @see http://httpd.apache.org/docs/1.3/logs.html
80+ *
81+ * @return
82+ */
4983 protected boolean supportXSSRequest () {
50- return true ;
84+ return supportXSS ;
5185 }
5286
5387 protected int maxXSSRequestParts () {
54- /*
55- * should never bigger than 10!
56- * each part will be an HTTP connection!
57- */
58- return 128 ; // 8k * 128 = 1M, for IE it will 2k * 128 = 256k
88+ return xssPartLimit ;
5989 }
6090
6191 protected long maxXSSRequestLatency () {
62- return 60 * 1000 ; // 60s to send a request?
92+ return xssLatency ;
6393 }
6494
6595 /**
@@ -147,6 +177,37 @@ public void init() throws ServletException {
147177 }
148178 }
149179 }
180+ String postLimitStr = getInitParameter ("simple.rpc.post.limit" );
181+ if (postLimitStr != null ) {
182+ try {
183+ postLimit = Long .parseLong (postLimitStr );
184+ if (postLimit <= 0 ) {
185+ postLimit = Long .MAX_VALUE ;
186+ }
187+ } catch (NumberFormatException e ) {
188+ e .printStackTrace ();
189+ }
190+ }
191+ String xssSupportStr = getInitParameter ("simple.rpc.xss.support" );
192+ if (xssSupportStr != null ) {
193+ supportXSS = "true" .equals (xssSupportStr );
194+ }
195+ String xssLatencytStr = getInitParameter ("simple.rpc.xss.max.latency" );
196+ if (xssLatencytStr != null ) {
197+ try {
198+ xssLatency = Long .parseLong (xssLatencytStr );
199+ } catch (NumberFormatException e ) {
200+ e .printStackTrace ();
201+ }
202+ }
203+ String xssPartsStr = getInitParameter ("simple.rpc.xss.max.parts" );
204+ if (xssPartsStr != null ) {
205+ try {
206+ xssPartLimit = Integer .parseInt (xssPartsStr );
207+ } catch (NumberFormatException e ) {
208+ e .printStackTrace ();
209+ }
210+ }
150211 super .init ();
151212 }
152213
@@ -242,10 +303,17 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
242303 }
243304 int partsCount = Integer .parseInt (count );
244305 int curPart = Integer .parseInt (current );
245- if (partsCount > maxXSSRequestParts () || curPart > partsCount ) {
306+ if (curPart > partsCount ) {
246307 resp .sendError (HttpServletResponse .SC_BAD_REQUEST );
247308 return ;
248309 }
310+ if (partsCount > maxXSSRequestParts ()) {
311+ resp .setContentType ("text/javascript" );
312+ //resp.setCharacterEncoding("utf-8");
313+ resp .getWriter ().write ("net.sf.j2s.ajax.SimpleRPCRequest" +
314+ ".xssNotify(\" " + nameID + "\" , \" exceedrequestlimit\" );" );
315+ return ;
316+ }
249317 if (partsCount != 1 ) {
250318 HttpSession session = req .getSession ();
251319 String attrName = "jzn" + nameID ;
0 commit comments