https://bz.apache.org/bugzilla/show_bug.cgi?id=61692
--- Comment #2 from jm009 <jan0mich...@yahoo.com> ---
(In reply to Christopher Schultz from comment #1)
> I don't like this patch (-1) for a number of reasons.
>
> 1. It uses many regular expressions during each request: poor performance
Patterns are compiled in init(), not for each request.
Let Pattern p = Pattern.compile("A|B|C|D").
Then
p.matcher(String).matches
should be as efficient as
"A".equals(String) || "B".equals(String) || "C".equals(String) ||
"D".equals(String).
> 2. It requires configuration for what should be pass-through semantics
>
> Why not simply replace doGet, doPost, etc. with service(Request,Response)
> and pass everything through to the underlying CGI without all that overhead?
Yep, I mentioned that as alternative solution.
Just to make sure, I got your point: What do you mean by "pass-through
semantics"?
How to determine in this case, if request body data (a.k.a. "POST data") should
be forwarded to the servlet?
- Forward any time?
or
- Check HttpServletRequest.getInputStream() != null &&
!HttpServletRequest.getInputStream().isFinished()?
This is, what Apache HTTPD does (simply accapts all method names and forwards
them to the CGI script).
I am wondering, if there might be cases, where forwarding request body data to
a CGI script, that is not prepared for it, might result in security problems.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
