You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Will Stranathan <ws...@hotmail.com> on 2003/06/13 20:19:19 UTC
[fileupload] when does request get passed?
Is it documented in the Servlet API when a servlet's service() method begins
to be executed in terms of when the request is sent to the server? The
reason I ask is because, the way FileUpload is currently implemented,
setSizeMax does not prevent a DoS attack - it just limits the size of an
uploaded item AFTER the entire stream has (seemingly) been received by the
servlet.
For example, set your sizeMax to something very low, and try uploading a
very large file - yes - the exception will get thrown, but not until the
entire contents of the file have been sent.
Is this something that a filter will fix? Or is it something that has to
change in the container's code?
Thanks,
Will Stranathan
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org
RE: [fileupload] when does request get passed?
Posted by Andrey Aristarkhov <Ar...@bitechnology.ru>.
Will,
request is being parsed when a first call of getParameterXXX() was made.
But FileUpload uses it's own prser to parse request.
There is no problem to implement some filter that will decline huge
requests by checking Content-Length request header. So it's not
necessary to change the container code. But the reason is to update
parsing model of FileUpload to be able to detect huge uploads on-the-fly
but not after complete request parsing. Another issue in the current
FileUpload implementation is that sizeMax defines the _maximum request
size_ but not _maximum size of uploaded file_. So if sizeMax was set
before request parsing and request content length exceeds this limit
SizeLimitExceededException will be thrown (FileUploadBase.java, line
315). Probably sizeMax should be propagated to a newly created
FileItems, or there should be a new property added, say maxFileSize to
limit a size of uploaded files? (Actually this new property should be
used inside the MultipartStream class).
Regards,
Andrey Aristarkhov
BiTechnology
> -----Original Message-----
> From: Will Stranathan [mailto:wstranathan@hotmail.com]
> Sent: Friday, June 13, 2003 10:19 PM
> To: commons-dev@jakarta.apache.org
> Subject: [fileupload] when does request get passed?
>
>
> Is it documented in the Servlet API when a servlet's
> service() method begins
> to be executed in terms of when the request is sent to the
> server? The
> reason I ask is because, the way FileUpload is currently implemented,
> setSizeMax does not prevent a DoS attack - it just limits the
> size of an
> uploaded item AFTER the entire stream has (seemingly) been
> received by the
> servlet.
>
> For example, set your sizeMax to something very low, and try
> uploading a
> very large file - yes - the exception will get thrown, but
> not until the
> entire contents of the file have been sent.
>
> Is this something that a filter will fix? Or is it something
> that has to
> change in the container's code?
>
> Thanks,
> Will Stranathan
>
> _________________________________________________________________
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org