On 7/6/07, Paul Benedict <[EMAIL PROTECTED]> wrote:
Niall Pemberton wrote: > I see no discussion on FILEUPLOAD-140 with Jochen about this and that > would seem a more logical place to fix than here in Struts. If it has > merit then you should be able to convince him - or at least try. I'm > no expert on file upload or DoS, but my gut feel is its a hack to fix > a problem that has nothing to do with Struts - which we've generally > resisted in the past. > > Niall > You make a really good point. I thought about discussing this with him, but I wasn't quite sure he would care. It sounds like he might, based on your post, so I'll give it a shot.
He may not, but he has more of a clue about this stuff than me.
It is true that the problem is not inside of Struts, but it's also true the request, when meeting the specific criteria, will hang indefinitely until the client's socket is terminated. Based on the ticket, it sounds like the user didn't find it in the example app but in his own development. Because this is likely to occur during normal development and isn't too-edgy of a use case, I found it important to fix. It can block development as well as production operations on a Windows box. The argument cuts both ways: would you prefer an indefinite blocking socket, or just completing the request with perhaps a large no-op upload? I believe the former is less ideal and the latter less likely to occur.
I have no clue as to the problem or solution - which is one reason I was hoping you would discuss with Jochen. If you can't convince Jochen its a good idea, then IMO its probably not a good idea for Struts either - if you can convince him, then he'll change FileUpload and we can remove it from Struts! Niall
Paul
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
