Christopher,
Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 12/8/2010 5:58 PM, André Warnier wrote:
If we are talking about a standard web application using a standard html
interface and standard browsers, then such an upload would be triggered
by a POST from a html form with a <input type="file"> in it, right ?
If the upload URL (target of the form) is not within the HTTPS protected
part, then anyone could access it and post a huge file to your site, no
? That may cause more stress on your server than doing this via HTTPS
ever would.
Here's the bad news: this can happen anyway. If I initiate an upload to
your webapp via HTTPS -- even if I don't have an session -- I can still
waste a lot of resources.
I haven't confirmed this myself -- someone hopefully will -- but Tomcat
will consume the entire request body before closing the connection from
the client.
Assume that the upload URL in question is handled by an application requiring
HTTPS.
And assume that the web application requires some form of user authentication.
Are you telling me that if a user connects for the first time to the site using this
"upload URL", Tomcat is going to read the entire POST request prior to checking if this
user is authenticated ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
