[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999 --- Comment #6 from Michael--- (In reply to Remy Maucherat from comment #5) > A fix will be in 9.0.4, 8.5.25, 8.0.49 and 7.0.84. Great, thank you! With this fix our request won't fail anymore for maxSavePostSize=0. And for maxSavePostSize > 0 it still fails if the POST data is larger than maxSavePostSize, as expected. We are looking forward to integrate 8.5.25 as soon as it's released. Just for clarity, why my understanding was that only strictly < 0 means no limit was this line of code (and the tests we made): https://github.com/apache/tomcat85/blob/41b5beb92da6ad56aec509a40cb7bdcc4fa504d4/java/org/apache/tomcat/util/buf/ByteChunk.java#L323 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999 Remy Maucheratchanged: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Remy Maucherat --- A fix will be in 9.0.4, 8.5.25, 8.0.49 and 7.0.84. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999 --- Comment #4 from Remy Maucherat--- "Furthermore the current implementation behaves as follows: * value < 0 means no limit * value >= 0 means limited to the value => so for value=0 every request with any POST data will fail (403 Forbidden)" I don't want to argue forever, but IMO this doesn't make much sense. Why would your request "not fail" if it is too large ? If the data is irrelevant, don't send it in the first place, especially since it will have to be read by the webserver anyway. Also, clients usually do not silently resend post data. Last, actually, the current behavior is that <= 0 means no limit. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999 --- Comment #3 from Michael--- BTW: We are willing to provide a patch if you agree. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999 --- Comment #2 from Michael--- Thanks for your fast reply. Yes we have an actual need to disable the "save post data" feature during authentication. We do not want the request to fail (with 403) just because the POST data was more than x KB since we do not need the POST data to be saved. Reading the documentation, we thought to have found a solution for this problem by setting maxSavePostSize=0 so the POST data would be ignored while the request is still being processed. It is our understanding that saving the POST data of the request is a performance improvement rather than a necessity. In our use case we use the FormAuthenticator but do not redirect to a simple HTML form but rather to a URL which does a programmatic login. The POST data is irrelevant for the login and will be sent again from the client after authentication. Thus fixing the documentation would not help in our case. Furthermore the current implementation behaves as follows: * value < 0 means no limit * value >= 0 means limited to the value => so for value=0 every request with any POST data will fail (403 Forbidden) So your suggestions to fix the documentation would not match with the current implementation. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999 --- Comment #1 from Remy Maucherat--- Ok, so the documentation isn't implemented properly when it comes to 0. Do you have an actual need to disable the feature, or is this one of these academic bug reports ? I'm asking since disabling the feature will make requests fail, while the actual cost of the feature is rather low with the default value, hence the user benefit is non existent and the fix would instead be to fix the docs [value <= 0 means no limit]. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 61999] Setting maxSavePostSize=0 won't disable saving POST data
https://bz.apache.org/bugzilla/show_bug.cgi?id=61999 Michaelchanged: What|Removed |Added CC||bsi@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org