Index: org/apache/commons/httpclient/HttpMethodBase.java
===================================================================
RCS file: /home/cvspublic/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/HttpMethodBase.java,v
retrieving revision 1.214
diff -u -r1.214 HttpMethodBase.java
--- org/apache/commons/httpclient/HttpMethodBase.java 16 Sep 2004 06:46:30 -0000 1.214
+++ org/apache/commons/httpclient/HttpMethodBase.java 16 Sep 2004 12:09:36 -0000
@@ -181,6 +181,12 @@
/** Actual cookie policy */
private CookieSpec cookiespec = null;
+
+ /** Maximum buffered response size (in bytes) that triggers no warning. */
+ private static final int BUFFER_WARN_TRIGGER_LIMIT = 1024*1024; //1 MB
+
+ /** Default initial size of the response buffer if content length is unknown. */
+ private static final int DEFAULT_INITIAL_BUFFER_SIZE = 4*1024; // 4 kB
// ----------------------------------------------------------- Constructors
@@ -667,6 +673,11 @@
* Returns the response body of the HTTP method, if any, as an array of bytes.
* If response body is not available or cannot be read, returns null
*
+ * Note: This will cause the entire response body to be buffered in memory. A
+ * malicious server may easily exhaust all the VM memory. It is strongly
+ * recommended, to use getResponseAsStream if the content length of the response
+ * is unknown or resonably large.
+ *
* @return The response body.
*
* @throws IOException If an I/O (transport) problem occurs while obtaining the
@@ -676,8 +687,17 @@
if (this.responseBody == null) {
InputStream instream = getResponseBodyAsStream();
if (instream != null) {
+ long contentLength = getResponseContentLength();
+ if (contentLength > Integer.MAX_VALUE) { //guard below cast from overflow
+ throw new IOException("Content too large to be buffered: "+ contentLength +" bytes");
+ }
+ if ((contentLength == -1) || (contentLength > BUFFER_WARN_TRIGGER_LIMIT)) {
+ LOG.warn("Going to buffer response body of large or unknown size. "
+ +"Using getResponseAsStream instead is recommended.");
+ }
LOG.debug("Buffering response body");
- ByteArrayOutputStream outstream = new ByteArrayOutputStream();
+ ByteArrayOutputStream outstream = new ByteArrayOutputStream(
+ contentLength > 0 ? (int) contentLength : DEFAULT_INITIAL_BUFFER_SIZE);
byte[] buffer = new byte[4096];
int len;
while ((len = instream.read(buffer)) > 0) {
@@ -717,7 +737,12 @@
* If response body is not available or cannot be read, returns null
* The string conversion on the data is done using the character encoding specified
* in Content-Type header.
- *
+ *
+ * Note: This will cause the entire response body to be buffered in memory. A
+ * malicious server may easily exhaust all the VM memory. It is strongly
+ * recommended, to use getResponseAsStream if the content length of the response
+ * is unknown or resonably large.
+ *
* @return The response body.
*
* @throws IOException If an I/O (transport) problem occurs while obtaining the