tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: enforcing SSL only for external clients
Date Thu, 09 Dec 2010 18:50:11 GMT
Christopher,

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> André,
> 
> On 12/8/2010 5:58 PM, André Warnier wrote:
>> If we are talking about a standard web application using a standard html
>> interface and standard browsers, then such an upload would be triggered
>> by a POST from a html form with a <input type="file"> in it, right ?
>> If the upload URL (target of the form) is not within the HTTPS protected
>> part, then anyone could access it and post a huge file to your site, no
>> ?  That may cause more stress on your server than doing this via HTTPS
>> ever would.
> 
> Here's the bad news: this can happen anyway. If I initiate an upload to
> your webapp via HTTPS -- even if I don't have an session -- I can still
> waste a lot of resources.
> 
> I haven't confirmed this myself -- someone hopefully will -- but Tomcat
> will consume the entire request body before closing the connection from
> the client. 

Assume that the upload URL in question is handled by an application requiring HTTPS.
And assume that the web application requires some form of user authentication.

Are you telling me that if a user connects for the first time to the site using this 
"upload URL", Tomcat is going to read the entire POST request prior to checking if this 
user is authenticated ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message