tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Security issue: parameter size.
Date Wed, 14 May 2003 06:13:33 GMT
Very useful, thanks.  However, it still leave open two questions:
1)  Of course, this is no help for Tomcat-Standalone.
2)  Without testing, I'm very unclear if this works with mod_jk(2), which
have their own processing for the request-body.  Of course, I'm going to do
my own testing, but if you have an answer already, it would be welcome.

"Tim Funk" <> wrote in message
> -Tim
> wrote:
> > Hi,
> >
> > If a user POST a parameter of huge size (e.g., send 1GB as the user name
in a typical login page), will that
> > crash Tomcat due to OutOfMemoryException? because by the time a
servlet's service method is called, the parameters are already in memory, so
checking request.getContentLength() probably doesn't help. Filters'
doFilter() method has the same problem. I didn't go through the coyote
connector/http connector code to check when the parameters are actually
constructed, but my impression is that all parameters/headers are already
parsed and stored in some in-memory data structure (e.g., Map) before the
http connector hands over the request to the servlet container, is that
right? I guess one can use a web server such as Apache to reject these
POSTs, can one do
> > something in Tomcat itself? Thanks.
> >
> > Shunhui

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message