Return-Path: 
 <tomcat-user-return-63888-qmlist-jakarta-archive-tomcat-user=nagoya.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org
Received: (qmail 44003 invoked from network); 13 May 2003 21:55:08 -0000
Received: from exchange.sun.com (192.18.33.10)
  by daedalus.apache.org with SMTP; 13 May 2003 21:55:08 -0000
Received: (qmail 24981 invoked by uid 97); 13 May 2003 21:57:18 -0000
Delivered-To: qmlist-jakarta-archive-tomcat-user@nagoya.betaversion.org
Received: (qmail 24974 invoked from network); 13 May 2003 21:57:18 -0000
Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12)
  by nagoya.betaversion.org with SMTP; 13 May 2003 21:57:18 -0000
Received: (qmail 42589 invoked by uid 500); 13 May 2003 21:54:51 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-user-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-user-help@jakarta.apache.org>
List-Post: <mailto:tomcat-user@jakarta.apache.org>
List-Id: "Tomcat Users List" <tomcat-user.jakarta.apache.org>
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 42578 invoked from network); 13 May 2003 21:54:50 -0000
Received: from mail1.sonicwall.com (67.115.118.17)
  by daedalus.apache.org with SMTP; 13 May 2003 21:54:50 -0000
X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Security issue: parameter size.
Date: Tue, 13 May 2003 14:54:55 -0700
Message-ID: <D607F52D6145C044B14BC16E76493C760F5C38@us0exb01.us.sonicwall.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Security issue: parameter size.
Thread-Index: AcMZmkohQC4bFKDhQdGVirk4BI7pvg==
From: <szhu@SonicWALL.com>
To: <tomcat-user@jakarta.apache.org>
X-OriginalArrivalTime: 13 May 2003 21:54:56.0171 (UTC)
 FILETIME=[4A7A8FB0:01C3199A]
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Hi,=20

If a user POST a parameter of huge size (e.g., send 1GB as the user name =
in a typical login page), will that
crash Tomcat due to OutOfMemoryException? because by the time a =
servlet's service method is called, the parameters are already in =
memory, so checking request.getContentLength() probably doesn't help. =
Filters' doFilter() method has the same problem. I didn't go through the =
coyote connector/http connector code to check when the parameters are =
actually constructed, but my impression is that all parameters/headers =
are already parsed and stored in some in-memory data structure (e.g., =
Map) before the http connector hands over the request to the servlet =
container, is that right? I guess one can use a web server such as =
Apache to reject these POSTs, can one do
something in Tomcat itself? Thanks.

Shunhui

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org