You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Dec 18, 2018. It is now read-only.
I'm trying to harden a service using kestrel and found a problem with dropped HTTP client connections. If the HTTP client drops the connection while the application is writing to the stream, kestrel doesn't seem to detect this very well. Even if the application code catches the write errors and the HTTP context is aborted, eventually the kestrel server will just exit with "Aborted." This is relatively easy to exploit just by killing a lot of HTTP connections while a write is occurring.
I first tried this in coreclr-beta8, but it continues to be an issue in rc1 and rc1-update1. It is relatively simple to reproduce the issue - I have a small application that runs using the bits on the microsoft/aspnet:1.0.0-rc1-update1-coreclr docker image. The server code and bash script to reproduce the issue can be found in my hardening-kestrel repo.
I'm trying to harden a service using kestrel and found a problem with dropped HTTP client connections. If the HTTP client drops the connection while the application is writing to the stream, kestrel doesn't seem to detect this very well. Even if the application code catches the write errors and the HTTP context is aborted, eventually the kestrel server will just exit with "Aborted." This is relatively easy to exploit just by killing a lot of HTTP connections while a write is occurring.
I first tried this in coreclr-beta8, but it continues to be an issue in rc1 and rc1-update1. It is relatively simple to reproduce the issue - I have a small application that runs using the bits on the microsoft/aspnet:1.0.0-rc1-update1-coreclr docker image. The server code and bash script to reproduce the issue can be found in my hardening-kestrel repo.