[ http://issues.apache.org/jira/browse/ADFFACES-313?page=comments#action_12455488 ] Adam Winer commented on ADFFACES-313: -------------------------------------
It's a bit trickier than that... the parsing is needed not only to find the files, but also to extract ordinary form parameters, like those used for page state. So, we'd really have to continue parsing the entire page (just dropping the file content on the ground). That means that we're parsing the mega-file, if not actually storing. So, there's still a bit of DoS involved. There's no real way to do per-mime-type size validation (and not clear you'd want to, since mime types can be lied about). You can't do validation until *after* file upload has completed, because of how the JSF lifecycle and component models work. it would be good, however, to at least support as an option showing a FacesMessage for the component where file upload failed. > Improve Upload behaviour > ------------------------ > > Key: ADFFACES-313 > URL: http://issues.apache.org/jira/browse/ADFFACES-313 > Project: MyFaces ADF-Faces > Issue Type: Improvement > Environment: All, commons-upload > Reporter: Patrick Huber > > Trinidad/commons-upload assume some memory and space limits for uploads which > can be configured in /WEB-INF/web.xml: > ----------- > <context-param> > <param-name>org.apache.myfaces.trinidad.UPLOAD_MAX_MEMORY</param-name> > <param-value>512000</param-value> > </context-param> > > <context-param> > <param-name>org.apache.myfaces.trinidad.UPLOAD_MAX_DISK_SPACE</param-name> > <param-value>5120000</param-value> > </context-param> > ----------- > When the larger of these two values is exceeded, trinidad just trows an > EOFException. What the user sees in the browser is this: > ---------- > HTTP ERROR: 500 > Per-request disk space limits exceeded. > RequestURI=/apache_trinidad/upload.faces > Caused by: > java.io.EOFException: Per-request disk space limits exceeded. > at > org.apache.myfaces.trinidadinternal.webapp.UploadedFileImpl.loadFile(UploadedFileImpl.java:236) > at > org.apache.myfaces.trinidadinternal.webapp.UploadedFileProcessorImpl.processFile(UploadedFileProcessorImpl.java:106) > at > org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doUploadFile(TrinidadFilterImpl.java:342) > at > org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:254) > at > org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:90) > at > org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1040) > at > org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:352) > at > org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:230) > at > org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:627) > at > org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:149) > at > org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:123) > at > org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:141) > at org.mortbay.jetty.Server.handle(Server.java:286) > at > org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:444) > at > org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:715) > at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:627) > at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:203) > at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:340) > at > org.mortbay.jetty.nio.HttpChannelEndPoint.run(HttpChannelEndPoint.java:270) > at > org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475) > Powered by Jetty:// > ---------- > It is possible to add a "validator" attribute to a tr:inputFile component. > However, that validator is only invoked when the upload size is smaller than > the limits and the upload succeeds. I believe these limits really do make > sense but a 500 plus stacktrace is not very cool. I propose that trinidad > writes a FacesMessage to the FacesContext for the inputFile component and > re-renders the same page, so the user sees the normal page again with a > meaningful error message. The error message should be > configurable/localizable. > I don't know much about uploading things. Maybe it's also possible to > determine the upload size before having received any data and then invoke the > validator before receiving the data, so the developer could for example apply > different size limits based on the mime-type of the upload. The inputFile > component had to be extended to contain the same information as the > valueChangeListener of the inputFile component received on its invocation. > regards > Patrick -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
