Barry Pearce
barry.pearce at copyrightwitness.net
Sun Mar 27 05:10:10 EST 2005
Hi, um. The problem is in the streaming itself. use of req.readline does not limit the amount of memory used. Should a binary file be uploaded it potentially loads everything into memory. I believe that all readline() calls involved in file data with or without the content disposition header should use a limited readline() - I am currently experimenting with my fix and a 64KB buffer size seems to work well. Although this highlights other issues - namely the line 'sline = line.strip()'. If the line size is not even remotely close to the boundary line length then the strip will just eat another ~64KB of memory... Ill post new code when Its working to my satisfaction. Cheers, Barry Nicolas Lehuen wrote: > I've entered this in the JIRA bug repository : > > http://issues.apache.org/jira/browse/MODPYTHON-40 > > Regards, > Nicolas > > > On Fri, 25 Mar 2005 14:20:42 -0600, Nick <nick at dd.revealed.net> wrote: > >>Nicolas Lehuen wrote: >> >>>Like I've wrote in another mail, FieldStorage will stream only if the >>>Content-Disposition header of the file part of the POST entity >>>contains a filename attribute (see mod_python/util.py line 169). Maybe >>>we should change this behaviour : >>> >>>1) Always stream to disk unless told otherwise >> >>I would agree this should be done. Regardless of whether HTTP should or >>should not be used for huge file uploads, it does leave you open to DoS. >> >>Nick >> >
|