Mark, On 2/11/2011 4:37 AM, Mark Thomas wrote: > On 10/02/2011 21:32, Christopher Schultz wrote: >> Rainer, >> >> On 2/10/2011 8:04 AM, Rainer Jung wrote: >>> It seems there's still no server-side prevention against huge uploads >>> possible. The upload is not put into memory, but the thread is only >>> freed once the whole request body is read. Shouldn't Tomcat ignore the >>> rest of data and close the connection in this case? >> >> +1 >> >> I've always wondered why Tomcat drains the input stream instead of just >> closing it. >> >> I could write a client that does a PUT or POST with no Content-Length >> and just send 1 byte every second or so and tie up a request thread >> indefinitely. That seems dangerous. > > That is a different issue. You are describing a slowloris attack. The > simple mitigation for that is to use the NIO connector.
Good point. -chris
signature.asc
Description: OpenPGP digital signature