tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: enforcing SSL only for external clients
Date Thu, 09 Dec 2010 16:59:42 GMT
Hash: SHA1


On 12/8/2010 5:58 PM, André Warnier wrote:
> If we are talking about a standard web application using a standard html
> interface and standard browsers, then such an upload would be triggered
> by a POST from a html form with a <input type="file"> in it, right ?
> If the upload URL (target of the form) is not within the HTTPS protected
> part, then anyone could access it and post a huge file to your site, no
> ?  That may cause more stress on your server than doing this via HTTPS
> ever would.

Here's the bad news: this can happen anyway. If I initiate an upload to
your webapp via HTTPS -- even if I don't have an session -- I can still
waste a lot of resources.

I haven't confirmed this myself -- someone hopefully will -- but Tomcat
will consume the entire request body before closing the connection from
the client. That means that if I upload 1GiB to your server, your server
is going to read every bit of it -- over HTTPS if I choose -- before
returning the request processor to the pool. Of course, all those bytes
are simply discarded... it's not like that 1GiB is read entirely into
memory or anything.

But the whole file will be read, wasting all that CPU time for SSL and
all that clock time waiting for the bytes to arrive, only to be ignored.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message