tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: Security issue: parameter size.
Date Tue, 13 May 2003 23:19:41 GMT
http://httpd.apache.org/docs/mod/core.html#limitrequestbody

-Tim

szhu@SonicWALL.com wrote:
> Hi, 
> 
> If a user POST a parameter of huge size (e.g., send 1GB as the user name in a typical
login page), will that
> crash Tomcat due to OutOfMemoryException? because by the time a servlet's service method
is called, the parameters are already in memory, so checking request.getContentLength() probably
doesn't help. Filters' doFilter() method has the same problem. I didn't go through the coyote
connector/http connector code to check when the parameters are actually constructed, but my
impression is that all parameters/headers are already parsed and stored in some in-memory
data structure (e.g., Map) before the http connector hands over the request to the servlet
container, is that right? I guess one can use a web server such as Apache to reject these
POSTs, can one do
> something in Tomcat itself? Thanks.
> 
> Shunhui



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message