You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Pito Salas <rp...@salas.com> on 2010/10/04 20:23:28 UTC
[users@httpd] A newbie question about http post
I was having a debate with a friend of mine. Can you clear this up?
Is it true that I can do an http post to any apache/httpd server and
get it to upload a file? It would seem like an application should give
permission, or at least that httpd could be configured so that an
application needs to give permission.
In other words:
<form action="http://gmail.com/" method="post" multipart="yes">
<input type="file" name="big"/>
<input type="submit" value="go"/>
</form>
Will the server accept and process all the gazillion bits of the file
even if no application has said it wants it?
I know it's probably a dumb question (he says it is) but it seems to
be such a big opening for a DOS attack that I can't believe it's
possible.
Thanks for any insights (or references where the answer is explained)
- Pito
--
Check out http://www.salas.com and http://www.blogbridge.com/look
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] A newbie question about http post
Posted by fakessh <fa...@fakessh.eu>.
use the ajax librairie for upload
and active the javascript into the formulaire and control all the
variables to the upload
it's nice way
<anonymous>
Le lundi 04 octobre 2010 à 14:23 -0400, Pito Salas a écrit :
> I was having a debate with a friend of mine. Can you clear this up?
>
> Is it true that I can do an http post to any apache/httpd server and
> get it to upload a file? It would seem like an application should give
> permission, or at least that httpd could be configured so that an
> application needs to give permission.
>
> In other words:
>
> <form action="http://gmail.com/" method="post" multipart="yes">
> <input type="file" name="big"/>
> <input type="submit" value="go"/>
> </form>
>
> Will the server accept and process all the gazillion bits of the file
> even if no application has said it wants it?
>
> I know it's probably a dumb question (he says it is) but it seems to
> be such a big opening for a DOS attack that I can't believe it's
> possible.
>
> Thanks for any insights (or references where the answer is explained)
>
> - Pito
>
--
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
gpg --keyserver pgp.mit.edu --recv-key 092164A7