From reading the code for AbstractHandler::getPostData, I found that the postLimit setting can be used to limit the allowed size of initial application/x-www-form-urlencoded POST data to be preserved.
However, actually testing this out shows that this limit is not actually being enforced. The config from shibboleth2.xml and commands I used to test are:
According to the code, if the submitted POST data exceeds the limit, a warning should be logged indicating that POST data was lost, but I did not find any such log entry:
AbstractHandler.cpp
Stepping through the code in a debugger shows that the call to request.getContentLength() always returns 0. For my Apache environment, this method is implemented by ShibTargetApache::getContentLength:
mod_shib.cpp
The m_gotBody field is always false, even for POST requests with a request body. It looks like this field only becomes initialized after a call to ShibTargetApache::getRequestBody(), but setting a breakpoint on this function shows that it is never called before the getContentLength() check.
I have to admit that I don't know why m_req->remaining would return 0 for POSTs with a request body, though. Given that the request body was not yet read by us in getRequestBody(), I would expect this field to contain the POST request size rather than 0.
Either way, the getRequestBody() call is first made as part of the CGIParser stuff to fetch the POST parameters, which enables it to get the correct values, but unfortunately the POST data size check has already been passed at that point.
As a quick check to verify all of the above, I recompiled with the following modification to AbstractHandler::getPostData:
AbstractHandler.cpp
Indeed, this modification ensures that the m_gotBody field is initialized, and enables the POST size check to work. (Note that I'm not advocating the above modification as a solution, it's merely a technical test to see if initializing the field would allow the check to work).
Finally, the postLimit setting does not seem to be documented. I was been looking for this functionality in the docs before I found it in the code, so I imagine other people might be too.
Environment
Red Hat Enterprise Linux Server release 5.8 (Tikanga) Apache 2.2.23
Well, I accidentally listed the extra request.getRequestBody() that I added for testing in the original source code listing for AbstractHandler::getPostData. I can no longer edit the description text though, so ignore that :o)
From reading the code for
AbstractHandler::getPostData, I found that the postLimit setting can be used to limit the allowed size of initial application/x-www-form-urlencoded POST data to be preserved.However, actually testing this out shows that this limit is not actually being enforced. The config from shibboleth2.xml and commands I used to test are:
According to the code, if the submitted POST data exceeds the limit, a warning should be logged indicating that POST data was lost, but I did not find any such log entry:
AbstractHandler.cpp
Stepping through the code in a debugger shows that the call to
request.getContentLength()always returns 0. For my Apache environment, this method is implemented byShibTargetApache::getContentLength:mod_shib.cpp
The
m_gotBodyfield is always false, even for POST requests with a request body. It looks like this field only becomes initialized after a call toShibTargetApache::getRequestBody(), but setting a breakpoint on this function shows that it is never called before thegetContentLength()check.I have to admit that I don't know why
m_req->remainingwould return 0 for POSTs with a request body, though. Given that the request body was not yet read by us ingetRequestBody(), I would expect this field to contain the POST request size rather than 0.Either way, the
getRequestBody()call is first made as part of the CGIParser stuff to fetch the POST parameters, which enables it to get the correct values, but unfortunately the POST data size check has already been passed at that point.As a quick check to verify all of the above, I recompiled with the following modification to
AbstractHandler::getPostData:AbstractHandler.cpp
Indeed, this modification ensures that the m_gotBody field is initialized, and enables the POST size check to work. (Note that I'm not advocating the above modification as a solution, it's merely a technical test to see if initializing the field would allow the check to work).
Finally, the
postLimitsetting does not seem to be documented. I was been looking for this functionality in the docs before I found it in the code, so I imagine other people might be too.