Re: [naviserver-devel] maxinput/maxpost: why both?

[Stephen D. <sd...@gm...>]

On 6/16/05, Zoran Vasiljevic <zv...@ar...> wrote:
>=20
> Am 16.06.2005 um 19:40 schrieb Vlad Seryakov:
>=20
> > It looks like maxpost just checks Content-Length: header, it is not
> > hard limit like maxinput which limits the real memory buffer for
> > uploaded content.
> >
>=20
> As I see, the maxpost test can be easily dwarfed by somebody giving the
> content-length of -1 (or less). In that case the code in SockRead()
> at the line 1481 will just ignore the maxpost setting:
>=20
>              s =3D Ns_SetIGet(reqPtr->headers, "content-length");
>              if (s !=3D NULL) {
>                  reqPtr->length =3D atoi(s);
>                  if (reqPtr->length < 0
>                      && reqPtr->length > sockPtr->drvPtr->servPtr-
>  >limits.maxpost) {
>                      return SOCK_ERROR;
>                  }
>              }
>=20
> See? If the content-length is set to some other meaningful value (>=3D
> 0) then the
> test is OK. But if not, then maxinput is really useless.
> I would suggest we simply junk the maxpost knob and rely on the
> maxinput only.
> This will make life easier.


Yeah, this broken test looks redundant.