tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: cvs commit: jakarta-tomcat-catalina/webapps/docs changelog.xml
Date Thu, 12 May 2005 10:54:13 GMT
Would it be worthwhile to use a new property?

maxSavePostSize - The max size of a post to save. 0 for unlimited, -1 to 
disable saving post.

Of course this doesn't mitigate a malicious person issuing many POSTS under 
the configured threshold.

-Tim


Remy Maucherat wrote:
> markt@apache.org wrote:
> 
>> markt       2005/05/11 14:39:41
>>
>>   Modified:    catalina/src/share/org/apache/catalina/authenticator
>>                         FormAuthenticator.java SavedRequest.java
>>                webapps/docs changelog.xml
>>   Log:
>>   Include request body in saved request when using FORM authentication.
>>    - Fixes problem with saved request assuming platform default 
>> encoding for POSTed
>>     parameters.
>>    - Improves restoration of request by using CoyoteRequest
> 
> 
> This is way too risky to do it for any POST (which could be a file 
> upload), and I think it could lead to easy DoSes, so I share Bill's 
> concerns.
> 
> Saving parameters in general is risky as well, obviously ...
> 
> IMO, webapps need to be better designed, and auth should happen before 
> sending forms.
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message