>> - use the database layer (maxblobsize) as a value for the maxFileSize >> -1 This way all form fields have to fit in 1 database field. Blob size >> restrictions are usually very high (>1GB). What will happen with a DoS >> attack? > > bobs can still have a size (say images max 4 MB and attachement max 10 MB?) > informix has a max query size does this affect what can be uploaded?
Yes, blobs can have sizes, but sometimes when you are not thinking you can set it wau\y to large without knowing the implications if you let your frontend depend on your backend. It really depends how the code is if the query size is an issue. With the old driver you have to open a stream to the database instead of adding the bytes to the query. Maybe, the newest drivers support the java.sql.Blob write functionality. >> - create a config/util/ directory and put there the configuration > files >> just like the modules/builders. >> +1 I would expect it somewhere in the config dir > >> >> - Set the maxFileSize in the constructor of HttpPost. >> -1 Then it has to be defined on multiple places? > Doens't i make sence to you to make this configurable > so that for example you de decide that attachements can be bigger then images? The maxFileSize is now used for the form contentlength. It is only nice if you upload only one image or attachement in the form. otherwise you still have to find out how many uploads there are. > I quick grep show the files using HttpPost (the editwizards are using > jspsmartupload) So the editwizards have no limit on the upload? or is the jspsmartupload totalfilesize set? > bridge/jsp/taglib/ContextTag.java > servlet/SimpleFormToMailServlet.java (deprecated?) > servlet/remoteXML.java (deprecated?) > servlet/servdb.java (deprecated?) > servlet/servscan.java (hmm?) > > no very impressive. I think HttpPost should be deprecated and therefore the > configuration hidden somewhere deep inside the HttpPost code Right, but it is nice to have it documented some where what the total size is that you can upload. Nico
