On 10.02.2011 18:44, Mark Thomas wrote:
On 10/02/2011 13:04, Rainer Jung wrote:
Servlet 3 standardizes file uploads. It contains the ability to limit on
request size, pretty much the same as commons fileupload supported for
many years.
It seems when this conditions triggers the rest of the request inout
stream is still drained at the end of the request. swallowInput is not
being set to false.
It seems there's still no server-side prevention against huge uploads
possible. The upload is not put into memory, but the thread is only
freed once the whole request body is read. Shouldn't Tomcat ignore the
rest of data and close the connection in this case?
Yep.
Because of Bill's remark about HTTP compliance and the result of my
browser tests, I think the default behaviour at least for TC before 7
should stay as is.
I implemented a simple patch for the TC 7 HTTP connectors using a custom
request property to allow the application to signal to the container,
that it should drop the connection and not drain it:
http://people.apache.org/~rjung/patches/tomcat-trunk-upload-abort.patch
Default: unchanged behaviour.
Since there's no universally correct setting and the correct behaviour
depends on the application use case a request attribute sounded OK. A
connector configuration or system property doesn't sound right and a
context configuration might be nasty to get pushed down to the connector
code, though I didn't check that (although I could likely again use a
request attribute to push the info down to the connector).
I still need to experiment with the AJP connectors. It wasn't obvious
from the impl how it handles the situation.
Any hints about where to add stuff to the docs? Are people fine with
making it controllable via the request attribute?
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
