tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Connection draining when upload to large
Date Fri, 11 Feb 2011 09:37:56 GMT
On 10/02/2011 21:32, Christopher Schultz wrote:
> Rainer,
> 
> On 2/10/2011 8:04 AM, Rainer Jung wrote:
>> It seems there's still no server-side prevention against huge uploads
>> possible. The upload is not put into memory, but the thread is only
>> freed once the whole request body is read. Shouldn't Tomcat ignore the
>> rest of data and close the connection in this case?
> 
> +1
> 
> I've always wondered why Tomcat drains the input stream instead of just
> closing it.
> 
> I could write a client that does a PUT or POST with no Content-Length
> and just send 1 byte every second or so and tie up a request thread
> indefinitely. That seems dangerous.

That is a different issue. You are describing a slowloris attack. The
simple mitigation for that is to use the NIO connector.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message