commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrey Aristarkhov" <>
Subject RE: [fileupload] when does request get passed?
Date Tue, 17 Jun 2003 14:38:35 GMT

request is being parsed when a first call of getParameterXXX() was made.
But FileUpload uses it's own prser to parse request.
There is no problem to implement some filter that will decline huge
requests by checking Content-Length request header. So it's not
necessary to change the container code. But the reason is to update
parsing model of FileUpload to be able to detect huge uploads on-the-fly
but not after complete request parsing. Another issue in the current
FileUpload implementation is that sizeMax defines the _maximum request
size_ but not _maximum size of uploaded file_. So if sizeMax was set
before request parsing and request content length exceeds this limit
SizeLimitExceededException will be thrown (, line
315). Probably sizeMax should be propagated to a newly created
FileItems, or there should be a new property added, say maxFileSize to
limit a size of uploaded files? (Actually this new property should be
used inside the MultipartStream class).

Andrey Aristarkhov

> -----Original Message-----
> From: Will Stranathan [] 
> Sent: Friday, June 13, 2003 10:19 PM
> To:
> Subject: [fileupload] when does request get passed?
> Is it documented in the Servlet API when a servlet's 
> service() method begins 
> to be executed in terms of when the request is sent to the 
> server?  The 
> reason I ask is because, the way FileUpload is currently implemented, 
> setSizeMax does not prevent a DoS attack - it just limits the 
> size of an 
> uploaded item AFTER the entire stream has (seemingly) been 
> received by the 
> servlet.
> For example, set your sizeMax to something very low, and try 
> uploading a 
> very large file - yes - the exception will get thrown, but 
> not until the 
> entire contents of the file have been sent.
> Is this something that a filter will fix?  Or is it something 
> that has to 
> change in the container's code?
> Thanks,
> Will Stranathan
> _________________________________________________________________
> Protect your PC - get VirusScan Online  
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message