Return-Path: 
 <users-return-97155-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 59666 invoked from network); 4 Oct 2010 18:33:05 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 4 Oct 2010 18:33:05 -0000
Received: (qmail 34326 invoked by uid 500); 4 Oct 2010 18:33:02 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 34284 invoked by uid 500); 4 Oct 2010 18:33:02 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 34276 invoked by uid 99); 4 Oct 2010 18:33:02 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Oct 2010 18:33:02 +0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=SPF_PASS,WEIRD_PORT
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of fakessh@fakessh.eu designates
 94.23.60.214 as permitted sender)
Received: from [94.23.60.214] (HELO r13151.ovh.net) (94.23.60.214)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Oct 2010 18:32:54 +0000
Received: from r13151.ovh.net (localhost.localdomain [127.0.0.1])
	by r13151.ovh.net (Postfix) with ESMTP id BB54A580A2
	for <users@httpd.apache.org>; Mon,  4 Oct 2010 20:32:18 +0200 (CEST)
X-SenderID: Sendmail Sender-ID Filter v1.0.0 r13151.ovh.net <unknown-msgid>
Authentication-Results: r13151.ovh.net;
 sender-id=neutral header.from=fakessh@fakessh.eu;
 spf=neutral smtp.mfrom=fakessh@fakessh.eu
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=fakessh.eu; h=subject:from
	:reply-to:to:in-reply-to:references:content-type:date:message-id
	:mime-version; s=dk; bh=AjTIGlyf6uMPCt5An8MebcPL900=; b=XOtxW8n3
	apdElLV6HmoM3NxVfNj7jVkaaFXUph/PhVWinoYkOZbDc4CPRsco7BNosmdIveMF
	iHFzWDiWjTqTZooikdgkJKtbrrewLnYACEmWwMiZuvDokXif8callDAjsuybXyiN
	oCtnE3Aq2pEakTWelcEOzybxxNcQoaJMyFI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=fakessh.eu; h=subject:from
	:reply-to:to:in-reply-to:references:content-type:date:message-id
	:mime-version; q=dns; s=dk; b=g3TlggnjulYG9xlsxp01Ndiz3GU8jVNX5i
	RhAx/AIdC1tPTXrsP6oDnlbmWht5Q1uVHytnI7GyVmPoRc9GG9vvsb5w71iCn8bM
	9m3jo/JvOg+iJw5xyQ81MmU/x35B6ckcidgCfm/+6MoImTwzVdZ1K7AWFlWDH7Xu
	VGdOqdk5c=
Received: from localhost (localhost.localdomain [127.0.0.1])
	by r13151.ovh.net (Postfix) with ESMTP id 9865B57FFD
	for <users@httpd.apache.org>; Mon,  4 Oct 2010 20:32:18 +0200 (CEST)
X-Virus-Scanned: amavisd-new at r13151.ovh.net
Received: from r13151.ovh.net ([127.0.0.1])
	by localhost (r13151.ovh.net [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id pja9pNGB+jqL for <users@httpd.apache.org>;
	Mon,  4 Oct 2010 20:32:12 +0200 (CEST)
Received: from [192.168.1.10] (ABayonne-257-1-92-171.w92-136.abo.wanadoo.fr
 [92.136.251.171])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	(Authenticated sender: fakessh)
	by r13151.ovh.net (Postfix) with ESMTPSA id 6B842580A1
	for <users@httpd.apache.org>; Mon,  4 Oct 2010 20:32:10 +0200 (CEST)
X-SenderID: Sendmail Sender-ID Filter v1.0.0 r13151.ovh.net <unknown-msgid>
Authentication-Results: r13151.ovh.net;
 sender-id=neutral header.from=fakessh@fakessh.eu; auth=pass (LOGIN);
 spf=neutral smtp.mfrom=fakessh@fakessh.eu
From: fakessh <fakessh@fakessh.eu>
Reply-To: fakessh@fakessh.eu
To: users@httpd.apache.org
In-Reply-To: <AANLkTim5jnRGvkXhaJZ=Pj6J2UEM9FUwKUbz7c-a83NV@mail.gmail.com>
References: <AANLkTim5jnRGvkXhaJZ=Pj6J2UEM9FUwKUbz7c-a83NV@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="=-aDzOolw18c3kSZgWddMZ"
Organization: fakessh @
Date: Mon, 04 Oct 2010 20:32:07 +0200
Message-Id: <1286217127.21691.21.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.3 (2.12.3-19.el5) 
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] A newbie question about http post

--=-aDzOolw18c3kSZgWddMZ
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

use the ajax librairie for upload
and active the javascript into the formulaire and control all the
variables to the upload

it's nice way

<anonymous>
Le lundi 04 octobre 2010 =C3=A0 14:23 -0400, Pito Salas a =C3=A9crit :
> I was having a debate with a friend of mine. Can you clear this up?
>=20
> Is it true that I can do an http post to any apache/httpd server and
> get it to upload a file? It would seem like an application should give
> permission, or at least that httpd could be configured so that an
> application needs to give permission.
>=20
> In other words:
>=20
> <form action=3D"http://gmail.com/" method=3D"post" multipart=3D"yes">
>   <input type=3D"file" name=3D"big"/>
>   <input type=3D"submit" value=3D"go"/>
> </form>
>=20
> Will the server accept and process all the gazillion bits of the file
> even if no application has said it wants it?
>=20
> I know it's probably a dumb question (he says it is) but it seems to
> be such a big opening for a DOS attack that I can't believe it's
> possible.
>=20
> Thanks for any insights (or references where the answer is explained)
>=20
> - Pito
>=20
--=20
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x092164A7


gpg --keyserver pgp.mit.edu --recv-key 092164A7

--=-aDzOolw18c3kSZgWddMZ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQBMqh2ntXI/OwkhZKcRAlGkAJ0Tqn/JenTZBEkG2v5wXpwTuRaQzgCfXtjQ
ki9Dz+RH1fAhC2KL3OJNYC8=
=xUsk
-----END PGP SIGNATURE-----

--=-aDzOolw18c3kSZgWddMZ--