tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 61999] New: Setting maxSavePostSize=0 won't disable saving POST data
Date Mon, 15 Jan 2018 10:16:24 GMT

            Bug ID: 61999
           Summary: Setting maxSavePostSize=0 won't disable saving POST
           Product: Tomcat 8
           Version: 8.5.x-trunk
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
  Target Milestone: ----

The documentation for the Connector attribute "maxSavePostSize" says "Setting
the attribute to zero will disable the saving of POST data during

However, we tested this and maxSavePostSize=0 won't disable saving POST data.
Instead, it actually tries to save the data with limit 0, so if there is any
POST data, a 403 Forbidden is sent in the response.

Also, looking at the corresponding source code, there is no special handling
for ignoring POST data if maxSavePostSize is set to zero:
FormAuthenticator#saveRequest(Request request, Session session) creates a
ByteChunk with limit 0. When calling ByteChunk#append(byte src[], int off, int
len) we get to the flushBuffer() method which throws an IOException caught by
FormAuthenticator#doAuthenticate which then sends a 403 Forbidden.

There is only special handling for the case where maxSavePostSize is negative
(i.e. no limit).

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message