You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Jochen Wiedmann (JIRA)" <ji...@apache.org> on 2009/01/18 03:52:59 UTC
[jira] Resolved: (FILEUPLOAD-168) read form field parameters even
if maxSize has been exceeded
[ https://issues.apache.org/jira/browse/FILEUPLOAD-168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jochen Wiedmann resolved FILEUPLOAD-168.
----------------------------------------
Resolution: Won't Fix
Assignee: Jochen Wiedmann
Paul, I am sorry, but I won't do anything in that area.
First of all, as Martin has already pointed out, you should most possibly be using FileSizeMax, and not SizeMax.
Second, the limits are a security measure and designed to prevent DOS attacks. Obviously, your fear is not a DOS. But then you should question yourself, whether you need these limits at all and whether it wouldn't be just better to iterate over the parameters using the streaming API without throwing any exceptions, possibly discarding files, which become too large.
Third, no one with a sane mind would ignore the content-length header fields, in order to throw exceptions as soon as possible. But this means that you *always* have to expect such exceptions before the data you desire has even been read.
> read form field parameters even if maxSize has been exceeded
> ------------------------------------------------------------
>
> Key: FILEUPLOAD-168
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-168
> Project: Commons FileUpload
> Issue Type: Improvement
> Environment: commons fileupload 1.2.2-SNAPSHOT
> Reporter: Paul Rivera
> Assignee: Jochen Wiedmann
> Attachments: fileupload1.patch, fileupload2.patch
>
>
> Hi!
> This issue is similar to FILEUPLOAD-140. I can't seem to reopen it so I created a new one instead. FILEUPLOAD-140 was marked as resolve by using the streaming API, if I'm not mistaken. No change was done. But I disagree on the resolution of simply using the streaming API (as detailed in http://commons.apache.org/fileupload/streaming.html).
> First of all, I tried to upload a big file exceeding maxSize with streaming API and got the SizeLimitExceededException even before ANY parameter has been read.
> ServletFileUpload.getItemIterator() calls FileUploadBase.getItemIterator() which creates a new FileItemIteratorImpl(). In the constructor code of FileItemIteratorImpl, it already checks for the requestSize and throws SizeLimitExceededException if sizeMax is exceeded.
> I'd like to open this discussion again and hope that in the end, we can have either:
> - form field parameters BEFORE the file parameter will still get read if requestSize is greater than sizeMax and then terminate once we reach the file
> - all form field parameters will still get read if requestSize is greater than sizeMax. But, we should skip reading the body of the files and proceed to the next 'boundary' so as not to keep the user waiting, if ever this is possible. (preferred)
> Then, we should also apply the same improvement into PortletFileUpload.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.