Rainer, On 2/10/2011 8:04 AM, Rainer Jung wrote: > It seems there's still no server-side prevention against huge uploads > possible. The upload is not put into memory, but the thread is only > freed once the whole request body is read. Shouldn't Tomcat ignore the > rest of data and close the connection in this case?
+1 I've always wondered why Tomcat drains the input stream instead of just closing it. I could write a client that does a PUT or POST with no Content-Length and just send 1 byte every second or so and tie up a request thread indefinitely. That seems dangerous. -chris
signature.asc
Description: OpenPGP digital signature
