tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: enforcing SSL only for external clients
Date Thu, 09 Dec 2010 16:59:42 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 12/8/2010 5:58 PM, André Warnier wrote:
> If we are talking about a standard web application using a standard html
> interface and standard browsers, then such an upload would be triggered
> by a POST from a html form with a <input type="file"> in it, right ?
> If the upload URL (target of the form) is not within the HTTPS protected
> part, then anyone could access it and post a huge file to your site, no
> ?  That may cause more stress on your server than doing this via HTTPS
> ever would.

Here's the bad news: this can happen anyway. If I initiate an upload to
your webapp via HTTPS -- even if I don't have an session -- I can still
waste a lot of resources.

I haven't confirmed this myself -- someone hopefully will -- but Tomcat
will consume the entire request body before closing the connection from
the client. That means that if I upload 1GiB to your server, your server
is going to read every bit of it -- over HTTPS if I choose -- before
returning the request processor to the pool. Of course, all those bytes
are simply discarded... it's not like that 1GiB is read entirely into
memory or anything.

But the whole file will be read, wasting all that CPU time for SSL and
all that clock time waiting for the bytes to arrive, only to be ignored.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk0BCv4ACgkQ9CaO5/Lv0PBgoACdE6eYh/AjBw4VIXoqqVGYXf9k
4j8AniYyABorFpUnR5Q/QN98M1E4Bi6F
=q4jw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message