You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2012/12/17 20:23:17 UTC

Re: [OT] Does maxPostSize has an effect on file upload?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nick,

On 12/14/12 5:36 PM, Williams, Nick wrote:
>> The way Tomcat is apparently doing it now is much more sensible,
>> in my humble opinion, because it does allow a direct and easy 
>> comparison with the files being uploaded. And since as per above
>> it needs to be kept in some cases anyway, my vote - if I had one
>> - would be to not change it.
> 
> I must agree with André. The process of base64 encoding a file 
> increases the number of bytes it takes to transmit it. But since
> that is not the actual size of the file, the extra length should
> not be counted towards the post size. The process by which the part
> lengths are added up DECODED is a much more accurate way to do it,
> in my opinion.

Right.

It also protects against uploading a file using gzip encoding where
the actual file is larger that the "upload limit".

It also means that uploading a zip bomb[1] can be detected and prevented.

Reasonable people can argue about the appropriateness of the first
point above (is the admin trying to cap the number of bytes uploaded
or the number of bytes effectively placed on the filesystem?) but the
second one is very important to the stability of a server.

> How confusing would it be to a user who uploads a file that is
> 1,989,956 bytes to get notified that the file exceeded the 2 MB 
> limit? The user certainly wouldn't understand that his file base64 
> encoded was larger than 2 MB. He would think the site was broken.

Files are rarely uploaded using base64 over HTTP -- that kind of thing
is much more common when using binary-intolerant systems like SMTP.
I'm not sure any normal user-agents can upload using base64, anyway. I
think you basically have identity, compress, gzip, and deflate
content-encodings. Anything done with base64 would have to have a
custom client and the webapp would have to handle the decoding.

- -chris

[1] http://en.wikipedia.org/wiki/Zip_bomb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDPcSUACgkQ9CaO5/Lv0PDmOgCePVBEtJBvjvZKA8Y6q0HJKxx6
v/gAoJwZePfcY+yiCO6A1YtciYH9cJZZ
=sG2l
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org