tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <s...@SonicWALL.com>
Subject Security issue: parameter size.
Date Tue, 13 May 2003 21:54:55 GMT
Hi, 

If a user POST a parameter of huge size (e.g., send 1GB as the user name in a typical login
page), will that
crash Tomcat due to OutOfMemoryException? because by the time a servlet's service method is
called, the parameters are already in memory, so checking request.getContentLength() probably
doesn't help. Filters' doFilter() method has the same problem. I didn't go through the coyote
connector/http connector code to check when the parameters are actually constructed, but my
impression is that all parameters/headers are already parsed and stored in some in-memory
data structure (e.g., Map) before the http connector hands over the request to the servlet
container, is that right? I guess one can use a web server such as Apache to reject these
POSTs, can one do
something in Tomcat itself? Thanks.

Shunhui

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message