-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 12/8/2010 5:58 PM, André Warnier wrote: > If we are talking about a standard web application using a standard html > interface and standard browsers, then such an upload would be triggered > by a POST from a html form with a <input type="file"> in it, right ? > If the upload URL (target of the form) is not within the HTTPS protected > part, then anyone could access it and post a huge file to your site, no > ? That may cause more stress on your server than doing this via HTTPS > ever would. Here's the bad news: this can happen anyway. If I initiate an upload to your webapp via HTTPS -- even if I don't have an session -- I can still waste a lot of resources. I haven't confirmed this myself -- someone hopefully will -- but Tomcat will consume the entire request body before closing the connection from the client. That means that if I upload 1GiB to your server, your server is going to read every bit of it -- over HTTPS if I choose -- before returning the request processor to the pool. Of course, all those bytes are simply discarded... it's not like that 1GiB is read entirely into memory or anything. But the whole file will be read, wasting all that CPU time for SSL and all that clock time waiting for the bytes to arrive, only to be ignored. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0BCv4ACgkQ9CaO5/Lv0PBgoACdE6eYh/AjBw4VIXoqqVGYXf9k 4j8AniYyABorFpUnR5Q/QN98M1E4Bi6F =q4jw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org