tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 61999] New: Setting maxSavePostSize=0 won't disable saving POST data
Date Mon, 15 Jan 2018 10:16:24 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999

            Bug ID: 61999
           Summary: Setting maxSavePostSize=0 won't disable saving POST
                    data
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: bsi.msa@gmail.com
  Target Milestone: ----

The documentation for the Connector attribute "maxSavePostSize" says "Setting
the attribute to zero will disable the saving of POST data during
authentication.":
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes

However, we tested this and maxSavePostSize=0 won't disable saving POST data.
Instead, it actually tries to save the data with limit 0, so if there is any
POST data, a 403 Forbidden is sent in the response.

Also, looking at the corresponding source code, there is no special handling
for ignoring POST data if maxSavePostSize is set to zero:
FormAuthenticator#saveRequest(Request request, Session session) creates a
ByteChunk with limit 0. When calling ByteChunk#append(byte src[], int off, int
len) we get to the flushBuffer() method which throws an IOException caught by
FormAuthenticator#doAuthenticate which then sends a 403 Forbidden.

There is only special handling for the case where maxSavePostSize is negative
(i.e. no limit).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message