tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: RequestDumperValve screws UTF-8 parameter parsing
Date Tue, 10 Jan 2006 12:25:51 GMT
The first thing a servlet (or filter) should do is set the encoding before 
touching the request parameters. Its not intended to be called somewhere late 
in the processing lifecycle. Since a Valve executes before any javax.servlet 
code - all bets are off (for the request encoding) based on the warning 
messages in the Valve.

For GET requests, reparsing might work when a new encoding is requested. But 
for POST requests - doing so would require saving the entire POST body 
somewhere. This can easily cause a memory based DOS attack.

-Tim

Oded Arbel wrote:

> Then why is it at all possible to set the encoding ? it should not be 
> needed and there for should not be possible. The fact that such a call 
> exists suggests to me that calling it repeatedly would have some effect 
> (granted - it will slow the performance, but that is as expected) - I 
> would prefer the request implementation reparse everything when I 
> supply new character set information - taking it sweet time to do it 
> (I'm probably only going to do this once per request) - rather then 
> just ignore me.
> 
> The fact is, if you get at the request too late in the process, where 
> the character set has already been set (wrongly), theres nothing you 
> can do to rescue the data, and many times I've had that problem.
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message