On 29/12/2011 15:44, Christopher Schultz wrote: > Mark, > > On 12/28/11 5:28 PM, Mark Thomas wrote: >> Tomcat has implemented a work-around for this issue by providing >> a new option (maxParameterCount) to limit the number of >> parameters processed for a single request. This default limit is >> 10000: high enough to be unlikely to affect any application; low >> enough to mitigate the effects of the DoS. > > While both POST-size-limiting and parameter-count-limiting are > both reasonable mitigating procedures, would the use of a > randomized-hash be something worth doing?
I don't know. My instinct is that it wouldn't but I could be wrong. > There are other solutions of course, but Tomcat could subclass > commons-collections' HashedMap and alter the behavior of the > hashIndex method to add a salt to the hashcode of any parameter > name that will be inserted into the hash map. Another couple of options: - start with Harmony's implementation and tweak that. - use TreeMap Before changing anything, we'd need to look hard at performance figures and take any additional maintenance overhead into consideration. Performance was the reason I didn't just switch to TreeMap. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
