tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: AJP with HTTPD - Buffer Size on long URLs
Date Mon, 30 Nov 2009 17:13:10 GMT
Caldarale, Charles R wrote:
>> From: Looijmans, Mike []
>> Subject: RE: AJP with HTTPD - Buffer Size on long URLs
>>> Looijmans, Mike wrote:
>>>> The RFC specs a maximum URL size of 4k.
>>> Where precisely did you find that ?
>> RFC2068 (old HTTP/1.1 spec)
> Citing an obsoleted RFC is a bit odd.  Regardless, the actual wording from section 3.2.1
of 2068 and 2616 (the superseding document) is:
> "The HTTP protocol does not place any a priori limit on the length of a URI."
> Followed shortly by:
> "A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the
server can handle (see section 10.4.15)."
> (Note the SHOULD, not MUST.)
> There is also a warning note:
> "Note: Servers should be cautious about depending on URI lengths above 255 bytes, because
some older client or proxy implementations may not properly support these lengths."
> No mention of a 4K limit anywhere that I can find.
Right. +1.
My point here (toward Mike) was that one should avoid propagating rumors 
or incorrect information, on a list that is read by unsuspecting users 
which may then believe that this is the ultimate truth.

This being said, the specs do not set a specific limit to a URI length, 
but it is certain that any server software has a practical one, if only 
to avoid some types of DoS attacks.
So my point to the original poster, was to recommend the use of a POST 
rather than a GET, if the application is such that it already now 
exceeds 8K for a URI.
In addition, even if one knows how many individual input fields there 
may be in a form which sends such a URI, and how long each field is in 
principle, it is much harder to predict how long a URI this will 
actually generate once URI-escaping has taken place, and each non-ASCII 
character has been replaced by a triplet of bytes.

There is no such arbitrary limit (or if there is, it is MUCH higher) for 
the body of a POST.
In addition, at least for the body of a POST, there is a possibility of 
indicating the character set of the data, which in fact there is not for 
  data contained in a URI.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message