Re: AJP with HTTPD - Buffer Size on long URLs

Mon, 30 Nov 2009 09:14:03 -0800 

Caldarale, Charles R wrote:

From: Looijmans, Mike [mailto:mike.looijm...@oce.com]
Subject: RE: AJP with HTTPD - Buffer Size on long URLs


Looijmans, Mike wrote:

The RFC specs a maximum URL size of 4k.

Where precisely did you find that ?

RFC2068 (old HTTP/1.1 spec)


Citing an obsoleted RFC is a bit odd.  Regardless, the actual wording from 
section 3.2.1 of 2068 and 2616 (the superseding document) is:

"The HTTP protocol does not place any a priori limit on the length of a URI."

Followed shortly by:

"A server SHOULD return 414 (Request-URI Too Long) status if a URI is longer than 
the server can handle (see section 10.4.15)."

(Note the SHOULD, not MUST.)

There is also a warning note:

"Note: Servers should be cautious about depending on URI lengths above 255 bytes, 
because some older client or proxy implementations may not properly support these 
lengths."

No mention of a 4K limit anywhere that I can find.


Right. +1.
My point here (toward Mike) was that one should avoid propagating rumors or incorrect information, on a list that is read by unsuspecting users which may then believe that this is the ultimate truth.
This being said, the specs do not set a specific limit to a URI length, but it is certain that any server software has a practical one, if only to avoid some types of DoS attacks. So my point to the original poster, was to recommend the use of a POST rather than a GET, if the application is such that it already now exceeds 8K for a URI. In addition, even if one knows how many individual input fields there may be in a form which sends such a URI, and how long each field is in principle, it is much harder to predict how long a URI this will actually generate once URI-escaping has taken place, and each non-ASCII character has been replaced by a triplet of bytes.
There is no such arbitrary limit (or if there is, it is MUCH higher) for the body of a POST. In addition, at least for the body of a POST, there is a possibility of indicating the character set of the data, which in fact there is not for data contained in a URI. 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to