ChristopherSchultz commented on PR #823: URL: https://github.com/apache/tomcat/pull/823#issuecomment-2671713171
> > The feedback was that this serves no purpose. I believe it is correct. > > For processing of POST and some others like that, processing takes memory. Also we do not know what the app will do with the data. Hence limiting could be important and it justifies having some setting. > > But PUT in the DefaultServlet is not the same. Let's say a security conscious user such as you already disabled partial PUT. A malicious user can then write the same amount of data on the server storage using a trivial increase of the amount of input even if your setting is in place. The main difference would be using separate HTTP requests. So then you would be expected to catch that pattern using some kind of extra protection (where it would also be possible to check the request length) ? > > As a result, adding this setting still does not make sense to me. > > Rate limiter filter, or WAF can detect and block those requests. Either of those two can also provide the limits you are requesting, here. Adding a feature to Tomcat which requires additional protection from e.g. WAF is kinda silly when the WAF could provide the new feature as well. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
