On 28/04/2023 08:16, 沉淀 wrote:
I am reading the source code of tomcat, the version is 9.0.73.
I see such a piece of code in the `await()` method in the
`StandardServer` class:
int expected = 1024; // Cut off to avoid DoS attack
while (expected < shutdown.length()) {
if (random == null) {
random = new Random();
}
expected += (random.nextInt() % 1024);
}
while (expected > 0) {
int ch = -1;
try {
ch = stream.read();
} catch (IOException e) {
log.warn(sm.getString("standardServer.accept.readError"), e);
ch = -1;
}
// Control character or EOF (-1) terminates loop
if (ch < 32 || ch == 127) {
break;
}
command.append((char) ch);
expected--;
}
Why doesn't the `expected` here directly make it equal to
`shutdown.length`?
For example, the stream contains 1024 characters, `shutdown` is still its
default value: SHUTDOWN, and it still needs to loop 1024 times in the second while
loop.
Please answer my doubts, thank you
Security.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
