Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 84248 invoked from network); 14 May 2003 06:04:23 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 14 May 2003 06:04:23 -0000 Received: (qmail 11331 invoked by uid 97); 14 May 2003 06:06:38 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@nagoya.betaversion.org Received: (qmail 11324 invoked from network); 14 May 2003 06:06:37 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 14 May 2003 06:06:37 -0000 Received: (qmail 82815 invoked by uid 500); 14 May 2003 06:04:07 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 82804 invoked from network); 14 May 2003 06:04:07 -0000 Received: from main.gmane.org (80.91.224.249) by daedalus.apache.org with SMTP; 14 May 2003 06:04:07 -0000 Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 19FpLb-0002t1-00 for ; Wed, 14 May 2003 08:02:39 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: tomcat-user@jakarta.apache.org Received: from news by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 19FpLa-0002sq-00 for ; Wed, 14 May 2003 08:02:38 +0200 From: "Bill Barker" Subject: Re: Security issue: parameter size. Date: Tue, 13 May 2003 23:13:33 -0700 Lines: 32 Message-ID: References: <3EC17D8D.5070100@joedog.org> X-Complaints-To: usenet@main.gmane.org X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: news X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Very useful, thanks. However, it still leave open two questions: 1) Of course, this is no help for Tomcat-Standalone. 2) Without testing, I'm very unclear if this works with mod_jk(2), which have their own processing for the request-body. Of course, I'm going to do my own testing, but if you have an answer already, it would be welcome. "Tim Funk" wrote in message news:3EC17D8D.5070100@joedog.org... > http://httpd.apache.org/docs/mod/core.html#limitrequestbody > > -Tim > > szhu@SonicWALL.com wrote: > > Hi, > > > > If a user POST a parameter of huge size (e.g., send 1GB as the user name in a typical login page), will that > > crash Tomcat due to OutOfMemoryException? because by the time a servlet's service method is called, the parameters are already in memory, so checking request.getContentLength() probably doesn't help. Filters' doFilter() method has the same problem. I didn't go through the coyote connector/http connector code to check when the parameters are actually constructed, but my impression is that all parameters/headers are already parsed and stored in some in-memory data structure (e.g., Map) before the http connector hands over the request to the servlet container, is that right? I guess one can use a web server such as Apache to reject these POSTs, can one do > > something in Tomcat itself? Thanks. > > > > Shunhui --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org