Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of aw@ice-sa.com designates
 212.85.38.228 as permitted sender)
Message-ID: <4B13FD26.1000007@ice-sa.com>
Date: Mon, 30 Nov 2009 18:13:10 +0100
From: =?ISO-8859-1?Q?Andr=E9_Warnier?= <aw@ice-sa.com>
Reply-To: Tomcat Users List <users@tomcat.apache.org>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: AJP with HTTPD - Buffer Size on long URLs
References: <f36128690911271548s5829c4ddga5d9114e7319ae15@mail.gmail.com>
 		<99C8B2929B39C24493377AC7A121E21F9680145691@USEA-EXCH8.na.uis.unisys.com>
 		<f36128690911272010r206560b1g91f32db62bb25ed@mail.gmail.com>
 		<99C8B2929B39C24493377AC7A121E21F9680145697@USEA-EXCH8.na.uis.unisys.com>
 	<f36128690911272243r5c660b09wde9994799f05476b@mail.gmail.com>
 	<4B111349.6030104@ice-sa.com>
 	<948126CDFED9634D8B12AF27F009EDC501C082EF@oce-exbe03-v.oce.net>
 	<4B138102.9060403@ice-sa.com>
 <948126CDFED9634D8B12AF27F009EDC501C083A3@oce-exbe03-v.oce.net>
 <99C8B2929B39C24493377AC7A121E21F9680145CD8@USEA-EXCH8.na.uis.unisys.com>
In-Reply-To: 
 <99C8B2929B39C24493377AC7A121E21F9680145CD8@USEA-EXCH8.na.uis.unisys.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Caldarale, Charles R wrote:
>> From: Looijmans, Mike [mailto:mike.looijmans@oce.com]
>> Subject: RE: AJP with HTTPD - Buffer Size on long URLs
>>
>>> Looijmans, Mike wrote:
>>>> The RFC specs a maximum URL size of 4k.
>>> Where precisely did you find that ?
>> RFC2068 (old HTTP/1.1 spec)
> 
> Citing an obsoleted RFC is a bit odd.  Regardless, the actual wording from section 3.2.1 of 2068 and 2616 (the superseding document) is:
> 
> "The HTTP protocol does not place any a priori limit on the length of a URI."
> 
> Followed shortly by:
> 
> "A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than the server can handle (see section 10.4.15)."
> 
> (Note the SHOULD, not MUST.)
> 
> There is also a warning note:
> 
> "Note: Servers should be cautious about depending on URI lengths above 255 bytes, because some older client or proxy implementations may not properly support these lengths."
> 
> No mention of a 4K limit anywhere that I can find.
> 
Right. +1.
My point here (toward Mike) was that one should avoid propagating rumors 
or incorrect information, on a list that is read by unsuspecting users 
which may then believe that this is the ultimate truth.

This being said, the specs do not set a specific limit to a URI length, 
but it is certain that any server software has a practical one, if only 
to avoid some types of DoS attacks.
So my point to the original poster, was to recommend the use of a POST 
rather than a GET, if the application is such that it already now 
exceeds 8K for a URI.
In addition, even if one knows how many individual input fields there 
may be in a form which sends such a URI, and how long each field is in 
principle, it is much harder to predict how long a URI this will 
actually generate once URI-escaping has taken place, and each non-ASCII 
character has been replaced by a triplet of bytes.

There is no such arbitrary limit (or if there is, it is MUCH higher) for 
the body of a POST.
In addition, at least for the body of a POST, there is a possibility of 
indicating the character set of the data, which in fact there is not for 
  data contained in a URI.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org