tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: cvs commit: jakarta-tomcat-catalina/webapps/docs changelog.xml
Date Thu, 12 May 2005 15:33:47 GMT

----- Original Message ----- 
From: "Remy Maucherat" <>
To: "Tomcat Developers List" <>
Sent: Thursday, May 12, 2005 5:28 AM
Subject: Re: cvs commit: jakarta-tomcat-catalina/webapps/docs changelog.xml

>Tim Funk wrote:
>> Would it be worthwhile to use a new property?
>> maxSavePostSize - The max size of a post to save. 0 for unlimited, -1 to 
>> disable saving post.
>> Of course this doesn't mitigate a malicious person issuing many POSTS 
>> under the configured threshold.
>I think I disagree. Even if you are not trying to do a DoS, it is very easy 
>to do it non intentionally if you save any post data (file upload).
>We'd need to restrict saved POST size severely, as well as restrict more by 
>default any form POST data.

I agree.  I'd even be +1 to further restricting the saved body size for 
CLIENT-CERT auth, and that one is only saved for the time of one request. 
Since the body in a FORM auth is going to be saved for much longer, it's 
even more important to restrict it.

And this is even more important for mod_jk users, since they will never get 
a chance to recover the data that they have posted :(.


This message is intended only for the use of the person(s) listed above as the intended recipient(s),
and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are not an intended
recipient, you may not read, copy, or distribute this message or any attachment. If you received
this communication in error, please notify us immediately by e-mail and then delete all copies
of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet
is not secure. Do not send confidential or sensitive information, such as social security
numbers, account numbers, personal identification numbers and passwords, to us via ordinary
(unencrypted) e-mail.

View raw message