tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <r...@apache.org>
Subject Re: cvs commit: jakarta-tomcat-catalina/webapps/docs changelog.xml
Date Thu, 12 May 2005 08:07:52 GMT
markt@apache.org wrote:
> markt       2005/05/11 14:39:41
> 
>   Modified:    catalina/src/share/org/apache/catalina/authenticator
>                         FormAuthenticator.java SavedRequest.java
>                webapps/docs changelog.xml
>   Log:
>   Include request body in saved request when using FORM authentication.
>    - Fixes problem with saved request assuming platform default encoding for POSTed
>     parameters.
>    - Improves restoration of request by using CoyoteRequest

This is way too risky to do it for any POST (which could be a file 
upload), and I think it could lead to easy DoSes, so I share Bill's 
concerns.

Saving parameters in general is risky as well, obviously ...

IMO, webapps need to be better designed, and auth should happen before 
sending forms.

Rémy

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message