Chenjp commented on PR #823: URL: https://github.com/apache/tomcat/pull/823#issuecomment-2670515402
@rmaucher @markt-asf I have to talk here since previous vul report has been rejected. I really think the target issue of this PR is a perfect match of CWE-770 / CWE-400. ***```The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.```*** see https://cwe.mitre.org/data/definitions/770.html and https://cwe.mitre.org/data/definitions/400.html Anyway, one or two simple requests result in creation of a >=1TB size file on server side is not acceptable absolutely. If application server discard this issue, then biz developer have to face it directly, or enroll firewall block policy to anti it. A online webdav provider has been identified and a 10MB file is uploaded successfully with 1-byte request content. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
