tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Security issue: parameter size.
Date Tue, 13 May 2003 23:19:41 GMT

-Tim wrote:
> Hi, 
> If a user POST a parameter of huge size (e.g., send 1GB as the user name in a typical
login page), will that
> crash Tomcat due to OutOfMemoryException? because by the time a servlet's service method
is called, the parameters are already in memory, so checking request.getContentLength() probably
doesn't help. Filters' doFilter() method has the same problem. I didn't go through the coyote
connector/http connector code to check when the parameters are actually constructed, but my
impression is that all parameters/headers are already parsed and stored in some in-memory
data structure (e.g., Map) before the http connector hands over the request to the servlet
container, is that right? I guess one can use a web server such as Apache to reject these
POSTs, can one do
> something in Tomcat itself? Thanks.
> Shunhui

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message