On 10/02/2011 21:32, Christopher Schultz wrote: > Rainer, > > On 2/10/2011 8:04 AM, Rainer Jung wrote: >> It seems there's still no server-side prevention against huge uploads >> possible. The upload is not put into memory, but the thread is only >> freed once the whole request body is read. Shouldn't Tomcat ignore the >> rest of data and close the connection in this case? > > +1 > > I've always wondered why Tomcat drains the input stream instead of just > closing it. > > I could write a client that does a PUT or POST with no Content-Length > and just send 1 byte every second or so and tie up a request thread > indefinitely. That seems dangerous.
That is a different issue. You are describing a slowloris attack. The simple mitigation for that is to use the NIO connector. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
