[Bug 69446] New: HttpServlet doPut - storage exhausted without maxFileSize limitation

bugzilla Fri, 15 Nov 2024 01:01:51 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=69446


            Bug ID: 69446
           Summary: HttpServlet doPut - storage exhausted without
                    maxFileSize limitation
           Product: Tomcat 10
           Version: 10.1.33
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Servlet
          Assignee: dev@tomcat.apache.org
          Reporter: ch...@msn.com
  Target Milestone: ------

Created attachment 39933
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=39933&action=edit
one-statement-attack

easy way for DDoS attackers.

when server answer OK to a partial put request with header "Content-Range:
100000000-100000000/100000001" and 1-byte-body, sametime 100MB storage  is
gone.


propose add a maxFileSize param / or config to prohibit putting too-large-file,
especially when allowPartialPut enabled.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 69446] New: HttpServlet doPut - storage exhausted without maxFileSize limitation

Reply via email to