[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data

2018-01-16 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999

--- Comment #6 from Michael  ---
(In reply to Remy Maucherat from comment #5)
> A fix will be in 9.0.4, 8.5.25, 8.0.49 and 7.0.84.

Great, thank you!

With this fix our request won't fail anymore for maxSavePostSize=0. And for
maxSavePostSize > 0 it still fails if the POST data is larger than
maxSavePostSize, as expected.

We are looking forward to integrate 8.5.25 as soon as it's released.

Just for clarity, why my understanding was that only strictly < 0 means no
limit was this line of code (and the tests we made):
https://github.com/apache/tomcat85/blob/41b5beb92da6ad56aec509a40cb7bdcc4fa504d4/java/org/apache/tomcat/util/buf/ByteChunk.java#L323

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data

2018-01-15 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999

Remy Maucherat  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #5 from Remy Maucherat  ---
A fix will be in 9.0.4, 8.5.25, 8.0.49 and 7.0.84.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data

2018-01-15 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999

--- Comment #4 from Remy Maucherat  ---
"Furthermore the current implementation behaves as follows:
* value < 0 means no limit
* value >= 0 means limited to the value => so for value=0 every request with
any POST data will fail (403 Forbidden)"

I don't want to argue forever, but IMO this doesn't make much sense. Why would
your request "not fail" if it is too large ? If the data is irrelevant, don't
send it in the first place, especially since it will have to be read by the
webserver anyway. Also, clients usually do not silently resend post data.

Last, actually, the current behavior is that <= 0 means no limit.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data

2018-01-15 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999

--- Comment #3 from Michael  ---
BTW: We are willing to provide a patch if you agree.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data

2018-01-15 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999

--- Comment #2 from Michael  ---
Thanks for your fast reply. Yes we have an actual need to disable the "save
post data" feature during authentication. We do not want the request to fail
(with 403) just because the POST data was more than x KB since we do not need
the POST data to be saved. Reading the documentation, we thought to have found
a solution for this problem by setting maxSavePostSize=0 so the POST data would
be ignored while the request is still being processed.

It is our understanding that saving the POST data of the request is a
performance improvement rather than a necessity.

In our use case we use the FormAuthenticator but do not redirect to a simple
HTML form but rather to a URL which does a programmatic login. The POST data is
irrelevant for the login and will be sent again from the client after
authentication.

Thus fixing the documentation would not help in our case. Furthermore the
current implementation behaves as follows:
* value < 0 means no limit
* value >= 0 means limited to the value => so for value=0 every request with
any POST data will fail (403 Forbidden)

So your suggestions to fix the documentation would not match with the current
implementation.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data

2018-01-15 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999

--- Comment #1 from Remy Maucherat  ---
Ok, so the documentation isn't implemented properly when it comes to 0. Do you
have an actual need to disable the feature, or is this one of these academic
bug reports ? I'm asking since disabling the feature will make requests fail,
while the actual cost of the feature is rather low with the default value,
hence the user benefit is non existent and the fix would instead be to fix the
docs [value <= 0 means no limit].

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data

2018-01-15 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999

Michael  changed:

   What|Removed |Added

 CC||bsi@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org