Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 84504 invoked from network); 16 Nov 2003 10:20:08 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 16 Nov 2003 10:20:08 -0000 Received: (qmail 97494 invoked by uid 500); 16 Nov 2003 10:19:39 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 96969 invoked by uid 500); 16 Nov 2003 10:19:36 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 96942 invoked from network); 16 Nov 2003 10:19:35 -0000 Received: from unknown (HELO minotaur.apache.org) (209.237.227.194) by daedalus.apache.org with SMTP; 16 Nov 2003 10:19:35 -0000 Received: (qmail 84465 invoked from network); 16 Nov 2003 10:20:01 -0000 Received: from unknown (HELO apache.org) (127.0.0.1) by localhost with SMTP; 16 Nov 2003 10:20:01 -0000 Message-ID: <3FB74F40.4010701@apache.org> Date: Sun, 16 Nov 2003 11:19:44 +0100 From: Remy Maucherat User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5 CoyoteConnector.java CoyoteRequest.java LocalStrings.properties References: <20031115094502.63340.qmail@minotaur.apache.org> <004001c3abf1$78d997e0$f9c32e04@dslverizon.net> In-Reply-To: <004001c3abf1$78d997e0$f9c32e04@dslverizon.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Rating: localhost 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Bill Barker wrote: >>remm 2003/11/15 01:45:02 >> >> Modified: catalina/src/share/org/apache/coyote/tomcat5 >> CoyoteConnector.java CoyoteRequest.java >> LocalStrings.properties >> Log: >> - Add a limit to the size of a POST which will be processed using > > getParameter > >> (which does allocate a significant amount of objects). >> >> int len = getContentLength(); >> >> if (len > 0) { >> + if (len > ((CoyoteConnector) connector).getMaxPostSize()) { >> + log(sm.getString("coyoteRequest.postTooLarge")); >> + return; >> + } >> try { >> byte[] formData = null; >> if (len < CACHED_POST_LEN) { >> > > > I'm -1 on this. It gives the Servlet no indication that anything is wrong, > and leaves junk in the input stream for the next keep-alive request. I > think that it would be better to handle this in the Adaptor's > postParseRequest method. This is a security issues, so I'll have to ignore your -1, since you give no alternative solution. Remy --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org