William, On 2/10/2011 4:51 PM, William A. Rowe Jr. wrote: > On 2/10/2011 7:04 AM, Rainer Jung wrote: >> Servlet 3 standardizes file uploads. It contains the ability to limit on >> request size, >> pretty much the same as commons fileupload supported for many years. >> >> It seems when this conditions triggers the rest of the request inout stream >> is still >> drained at the end of the request. swallowInput is not being set to false. >> >> It seems there's still no server-side prevention against huge uploads >> possible. The upload >> is not put into memory, but the thread is only freed once the whole request >> body is read. >> Shouldn't Tomcat ignore the rest of data and close the connection in this >> case? > > In HTTP, this is required if you will reject the request with a status.
I didn't realize that. Can you point me to a reference to the portion of the spec that requires that? > The behavior is RFC-correct per Apache httpd's design, which has been > debated on plenty of occasions and the finger always goes back to > RFC 2616 correctness. This seems like something we could allow with a non-default configuration setting. We have all kinds of options in Tomcat that allow non-servlet-spec-compliant behavior. -chris
signature.asc
Description: OpenPGP digital signature
