naviserver-devel

[naviserver-devel] maxinput/maxpost: why both?

[Zoran V. <zv...@ar...>]

Hi!

Related to the file upload issue, I was walking arrund the code
and do not understand why there are two limits for incoming
content?

I see that maxinput is defined per-socket-driver (thanks Vlad)
and maxpost is defined per-virtual-server.

Are there any reasons to maintain these two in future?
The newest code (4.5) in AS project seems to have dropped
the maxpost entirely.

Zoran

Re: [naviserver-devel] maxinput/maxpost: why both?

[Vlad S. <vl...@cr...>]

It looks like maxpost just checks Content-Length: header, it is not hard 
limit like maxinput which limits the real memory buffer for uploaded 
content.

Zoran Vasiljevic wrote:
> Hi!
> 
> Related to the file upload issue, I was walking arrund the code
> and do not understand why there are two limits for incoming
> content?
> 
> I see that maxinput is defined per-socket-driver (thanks Vlad)
> and maxpost is defined per-virtual-server.
> 
> Are there any reasons to maintain these two in future?
> The newest code (4.5) in AS project seems to have dropped
> the maxpost entirely.
> 
> Zoran
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> naviserver-devel mailing list
> nav...@li...
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel

-- 
Vlad Seryakov
571 262-8608 office
vl...@cr...
http://www.crystalballinc.com/vlad/

Re: [naviserver-devel] maxinput/maxpost: why both?

[Zoran V. <zv...@ar...>]

Am 16.06.2005 um 19:40 schrieb Vlad Seryakov:

> It looks like maxpost just checks Content-Length: header, it is not  
> hard limit like maxinput which limits the real memory buffer for  
> uploaded content.
>

As I see, the maxpost test can be easily dwarfed by somebody giving the
content-length of -1 (or less). In that case the code in SockRead()
at the line 1481 will just ignore the maxpost setting:

             s = Ns_SetIGet(reqPtr->headers, "content-length");
             if (s != NULL) {
                 reqPtr->length = atoi(s);
                 if (reqPtr->length < 0
                     && reqPtr->length > sockPtr->drvPtr->servPtr- 
 >limits.maxpost) {
                     return SOCK_ERROR;
                 }
             }

See? If the content-length is set to some other meaningful value (>=  
0) then the
test is OK. But if not, then maxinput is really useless.
I would suggest we simply junk the maxpost knob and rely on the  
maxinput only.
This will make life easier.

Zoran

Re: [naviserver-devel] maxinput/maxpost: why both?

[Stephen D. <sd...@gm...>]

On 6/16/05, Zoran Vasiljevic <zv...@ar...> wrote:
>=20
> Am 16.06.2005 um 19:40 schrieb Vlad Seryakov:
>=20
> > It looks like maxpost just checks Content-Length: header, it is not
> > hard limit like maxinput which limits the real memory buffer for
> > uploaded content.
> >
>=20
> As I see, the maxpost test can be easily dwarfed by somebody giving the
> content-length of -1 (or less). In that case the code in SockRead()
> at the line 1481 will just ignore the maxpost setting:
>=20
>              s =3D Ns_SetIGet(reqPtr->headers, "content-length");
>              if (s !=3D NULL) {
>                  reqPtr->length =3D atoi(s);
>                  if (reqPtr->length < 0
>                      && reqPtr->length > sockPtr->drvPtr->servPtr-
>  >limits.maxpost) {
>                      return SOCK_ERROR;
>                  }
>              }
>=20
> See? If the content-length is set to some other meaningful value (>=3D
> 0) then the
> test is OK. But if not, then maxinput is really useless.
> I would suggest we simply junk the maxpost knob and rely on the
> maxinput only.
> This will make life easier.


Yeah, this broken test looks redundant.

Re: [naviserver-devel] maxinput/maxpost: why both?

[Zoran V. <zv...@ar...>]

Am 16.06.2005 um 20:05 schrieb Stephen Deasey:

>
>
> Yeah, this broken test looks redundant.
>
>

OK. So we have a consensus. I will trash it out now.
Zoran