Re: Rejecting a file upload
Hello again, This is a follow up to my post you can see here [1]. I've tried a little more and found out something really scaring. By using chunked transfer encoding you can continously send data to _any_ tomcat servlet. Even if it would generate a 404 or another error. What I did was to simply use the httpclient library to upload a stream of random data to a really basic tomcat servlet (that prints hello world). What happens is that the servlet executes, finished, but tomcat continues to read all the data sent by my little program, even if that continues to infinity. And instead of directly showing the 404 tomcat will first _always_ show the 100 Continue header, even if it _doesn't even accept posts/put_ Sample log: POST /backend/test HTTP/1.1[\r][\n] User-Agent: Jakarta Commons-HttpClient/3.1[\r][\n] Host: ***:8443[\r][\n] Expect: 100-continue[\r][\n] Transfer-Encoding: chunked[\r][\n] [\r][\n] HTTP/1.1 100 Continue[\r][\n] [\r][\n] *3 megabytes of random garbage data here* HTTP/1.1 405 HTTP method POST is not supported by this URL[\r][\n] [...] This probably means that any tomcat server out there having chunked transfer enabled can be flooded with large amounts of data without any mechanism inside of the servlet to prevent that from happening, as far as I can see. This means theoretically one could open an infinite number of non-terminating sockets to a tomcat server, that _has_ to hurt performance. Seems to me like there really needs to be a solution for this issue. Best regards, Volker [1] http://marc.info/?l=tomcat-userm=120024591128397w=2 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rejecting a file upload
Hi Martin, thanks for your response. Sorry for my unclear description, what I ment is that the TCP connection is neither closed, nor interrupted in any way. The Uploader simply continues to send data to the server, even if the servlet already written a response, closed all streams and returned from the handler, thus finishing the request. Hope that makes it a little more clear. Best regards, Volker On 15.01.2008, at 15:02, Martin Gainty wrote: Volkerwhat constitutes finished ? are you saying the connection is not closed? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Rejecting a file upload
Hi everyone, I've stumbled across a little problem here: I've got a streaming client (right now its using either libcurl or apache httpclient via HTTP 1.1 chunked transfer without a content length) that connects to a servlet on a tomcat server and uploads data. Now the problem is that if something is wrong (eg. I want to revoke that users right to stream) there doesn't seem a way to prevent the user from continuing the upload. That doesn't seem possible in Tomcat. I've tried sending an error header, closing the Input/Output streams, without success. Just closing the socket would already be enough. Worse even, the users access has to be verified, but Tomcat just sends the 100 Continue header which pretty much tells the user to start uploading, altough the servlet hasn't been executed yet so neither the access nor the additional query parameters could be verified. So the questions are: - Is there any way to close a connection to a client to prevent it from continuing the upload? - Is there any way to prevent the 100 Continue from sending? I'm using Tomcat 6. Best regards and thank you for your time, Volker - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
