Chenjp commented on PR #823: URL: https://github.com/apache/tomcat/pull/823#issuecomment-2673452793
> > Rate limiter filter, or WAF can detect and block those requests. > > Either of those two can also provide the limits you are requesting, here. Adding a feature to Tomcat which requires additional protection from e.g. WAF is kinda silly when the WAF could provide the new feature as well. As said, when partial put is disabled, malicious user can send many separate requests, in this case, server side available storage is reduced slowly and can be observed by server side disk space monitoring, tomcat traffic rate limiter, and WAF blocker etc.. When partial put enabled, tomcat user have to face a fatal storage exhaustion in an instant if WAF block policy in Content-Range header semantic layer. In this circumstance, disk space monitoring is ineffective, traffic rate limiter cannot detect it. I think that WAF is not a controllable assert for most Tomcat users. Partial put is predefined in RFC spec, consider that there may be multiple implementations not just DefaultServlet and WebDavServlet, then enforce file size limit only in DefaultServlet is not good enough. How about ***an extra Filter*** to limit PUT destination size? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
