Return-Path: Delivered-To: apmail-jakarta-commons-dev-archive@apache.org Received: (qmail 83793 invoked from network); 17 Jun 2003 14:38:39 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 17 Jun 2003 14:38:39 -0000 Received: (qmail 12885 invoked by uid 97); 17 Jun 2003 14:40:59 -0000 Delivered-To: qmlist-jakarta-archive-commons-dev@nagoya.betaversion.org Received: (qmail 12878 invoked from network); 17 Jun 2003 14:40:59 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 17 Jun 2003 14:40:59 -0000 Received: (qmail 83572 invoked by uid 500); 17 Jun 2003 14:38:37 -0000 Mailing-List: contact commons-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Jakarta Commons Developers List" Reply-To: "Jakarta Commons Developers List" Delivered-To: mailing list commons-dev@jakarta.apache.org Received: (qmail 83561 invoked from network); 17 Jun 2003 14:38:36 -0000 Received: from unknown (HELO bitechnology.ru) (195.54.201.82) by daedalus.apache.org with SMTP; 17 Jun 2003 14:38:36 -0000 Received: from [195.54.201.89] (account aristarkhov HELO 3a) by bitechnology.ru (CommuniGate Pro SMTP 3.5b9) with ESMTP-TLS id 368701 for commons-dev@jakarta.apache.org; Tue, 17 Jun 2003 17:38:36 +0300 From: "Andrey Aristarkhov" To: "'Jakarta Commons Developers List'" Subject: RE: [fileupload] when does request get passed? Date: Tue, 17 Jun 2003 18:38:35 +0400 Organization: BiTechnology Message-ID: <00e701c334de$2278ec00$59c936c3@bitechnology.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Will, request is being parsed when a first call of getParameterXXX() was made. But FileUpload uses it's own prser to parse request. There is no problem to implement some filter that will decline huge requests by checking Content-Length request header. So it's not necessary to change the container code. But the reason is to update parsing model of FileUpload to be able to detect huge uploads on-the-fly but not after complete request parsing. Another issue in the current FileUpload implementation is that sizeMax defines the _maximum request size_ but not _maximum size of uploaded file_. So if sizeMax was set before request parsing and request content length exceeds this limit SizeLimitExceededException will be thrown (FileUploadBase.java, line 315). Probably sizeMax should be propagated to a newly created FileItems, or there should be a new property added, say maxFileSize to limit a size of uploaded files? (Actually this new property should be used inside the MultipartStream class). Regards, Andrey Aristarkhov BiTechnology > -----Original Message----- > From: Will Stranathan [mailto:wstranathan@hotmail.com] > Sent: Friday, June 13, 2003 10:19 PM > To: commons-dev@jakarta.apache.org > Subject: [fileupload] when does request get passed? > > > Is it documented in the Servlet API when a servlet's > service() method begins > to be executed in terms of when the request is sent to the > server? The > reason I ask is because, the way FileUpload is currently implemented, > setSizeMax does not prevent a DoS attack - it just limits the > size of an > uploaded item AFTER the entire stream has (seemingly) been > received by the > servlet. > > For example, set your sizeMax to something very low, and try > uploading a > very large file - yes - the exception will get thrown, but > not until the > entire contents of the file have been sent. > > Is this something that a filter will fix? Or is it something > that has to > change in the container's code? > > Thanks, > Will Stranathan > > _________________________________________________________________ > Protect your PC - get McAfee.com VirusScan Online > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: commons-dev-help@jakarta.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: commons-dev-help@jakarta.apache.org