Index: org/apache/commons/httpclient/HttpMethodBase.java =================================================================== RCS file: /home/cvs/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/HttpMethodBase.java,v retrieving revision 1.214 diff -u -r1.214 HttpMethodBase.java --- org/apache/commons/httpclient/HttpMethodBase.java 16 Sep 2004 06:46:30 -0000 1.214 +++ org/apache/commons/httpclient/HttpMethodBase.java 16 Sep 2004 20:05:13 -0000 @@ -181,6 +181,9 @@ /** Actual cookie policy */ private CookieSpec cookiespec = null; + + /** Default initial size of the response buffer if content length is unknown. */ + private static final int DEFAULT_INITIAL_BUFFER_SIZE = 4*1024; // 4 kB // ----------------------------------------------------------- Constructors @@ -667,6 +670,11 @@ * Returns the response body of the HTTP method, if any, as an array of bytes. * If response body is not available or cannot be read, returns null * + * Note: This will cause the entire response body to be buffered in memory. A + * malicious server may easily exhaust all the VM memory. It is strongly + * recommended, to use getResponseAsStream if the content length of the response + * is unknown or resonably large. + * * @return The response body. * * @throws IOException If an I/O (transport) problem occurs while obtaining the @@ -676,8 +684,18 @@ if (this.responseBody == null) { InputStream instream = getResponseBodyAsStream(); if (instream != null) { + long contentLength = getResponseContentLength(); + if (contentLength > Integer.MAX_VALUE) { //guard below cast from overflow + throw new IOException("Content too large to be buffered: "+ contentLength +" bytes"); + } + int limit = getParams().getIntParameter(HttpMethodParams.BUFFER_WARN_TRIGGER_LIMIT, 1024*1024); + if ((contentLength == -1) || (contentLength > limit)) { + LOG.warn("Going to buffer response body of large or unknown size. " + +"Using getResponseAsStream instead is recommended."); + } LOG.debug("Buffering response body"); - ByteArrayOutputStream outstream = new ByteArrayOutputStream(); + ByteArrayOutputStream outstream = new ByteArrayOutputStream( + contentLength > 0 ? (int) contentLength : DEFAULT_INITIAL_BUFFER_SIZE); byte[] buffer = new byte[4096]; int len; while ((len = instream.read(buffer)) > 0) { @@ -717,7 +735,12 @@ * If response body is not available or cannot be read, returns null * The string conversion on the data is done using the character encoding specified * in Content-Type header. - * + * + * Note: This will cause the entire response body to be buffered in memory. A + * malicious server may easily exhaust all the VM memory. It is strongly + * recommended, to use getResponseAsStream if the content length of the response + * is unknown or resonably large. + * * @return The response body. * * @throws IOException If an I/O (transport) problem occurs while obtaining the Index: org/apache/commons/httpclient/params/HttpMethodParams.java =================================================================== RCS file: /home/cvs/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/params/HttpMethodParams.java,v retrieving revision 1.14 diff -u -r1.14 HttpMethodParams.java --- org/apache/commons/httpclient/params/HttpMethodParams.java 14 Sep 2004 20:11:32 -0000 1.14 +++ org/apache/commons/httpclient/params/HttpMethodParams.java 16 Sep 2004 20:05:15 -0000 @@ -249,6 +249,15 @@ public static final String RETRY_HANDLER = "http.method.retry-handler"; /** + * Sets the maximum buffered response size (in bytes) that triggers no warning. Buffered + * responses exceeding this size will trigger a warning in the log. + *

+ * This parameter expects a value if type {@link Integer}. + *

+ */ + public static final String BUFFER_WARN_TRIGGER_LIMIT = "http.method.response.buffer.warnlimit"; + + /** * Creates a new collection of parameters with the collection returned * by {@link #getDefaultParams()} as a parent. The collection will defer * to its parent for a default value if a particular parameter is not