пт, 5 июл. 2024 г. в 23:40, Christopher Schultz :
>
> Mark,
>
> On 7/2/24 06:33, Mark Thomas wrote:
> > [...]
>
> I would support a move to throw an unchecked exception from
> getParameter* in older versions of Tomcat in order to produce a hard-fail.
>
> But I'm somewhat more bullish about this ki
Mark,
On 7/2/24 06:33, Mark Thomas wrote:
On 01/07/2024 07:17, Michael Osipov wrote:
On 2024/06/27 17:13:56 Christopher Schultz wrote:
Michael,
On 6/27/24 08:46, Michael Osipov wrote:
On 2023/03/09 14:23:33 Christopher Schultz wrote:
A potential use-case for "large numbers of parameters" mi
On 2024/07/02 11:06:55 Rémy Maucherat wrote:
> On Tue, Jul 2, 2024 at 1:05 PM Mark Thomas wrote:
> >
> > On 02/07/2024 12:01, Michael Osipov wrote:
> > > On 2024/07/02 10:33:29 Mark Thomas wrote:
> > >> On 01/07/2024 07:17, Michael Osipov wrote:
> >
> >
> >
> > >>> I would really really expect th
On Tue, Jul 2, 2024 at 1:05 PM Mark Thomas wrote:
>
> On 02/07/2024 12:01, Michael Osipov wrote:
> > On 2024/07/02 10:33:29 Mark Thomas wrote:
> >> On 01/07/2024 07:17, Michael Osipov wrote:
>
>
>
> >>> I would really really expect that Tomcat fails hard with 4xx if the input
> >>> is invalid an
On 02/07/2024 12:01, Michael Osipov wrote:
On 2024/07/02 10:33:29 Mark Thomas wrote:
On 01/07/2024 07:17, Michael Osipov wrote:
I would really really expect that Tomcat fails hard with 4xx if the input is
invalid and not issue a simple INFO at the log. The huge problem is that the
request
On 2024/07/02 10:33:29 Mark Thomas wrote:
> On 01/07/2024 07:17, Michael Osipov wrote:
> > On 2024/06/27 17:13:56 Christopher Schultz wrote:
> >> Michael,
> >>
> >> On 6/27/24 08:46, Michael Osipov wrote:
> >>> On 2023/03/09 14:23:33 Christopher Schultz wrote:
> A potential use-case for "large
On 01/07/2024 07:17, Michael Osipov wrote:
On 2024/06/27 17:13:56 Christopher Schultz wrote:
Michael,
On 6/27/24 08:46, Michael Osipov wrote:
On 2023/03/09 14:23:33 Christopher Schultz wrote:
A potential use-case for "large numbers of parameters" might be an
application that uses something li
On 2024/06/27 17:13:56 Christopher Schultz wrote:
> Michael,
>
> On 6/27/24 08:46, Michael Osipov wrote:
> > On 2023/03/09 14:23:33 Christopher Schultz wrote:
> >> A potential use-case for "large numbers of parameters" might be an
> >> application that uses something like a multi-select list and t
Michael,
On 6/27/24 08:46, Michael Osipov wrote:
On 2023/03/09 14:23:33 Christopher Schultz wrote:
A potential use-case for "large numbers of parameters" might be an
application that uses something like a multi-select list and the number
of choices is stupendously high. As in, when the applicat
On Fri, Mar 24, 2023 at 10:01 AM Mark Thomas wrote:
>
> On 23/03/2023 20:20, Christopher Schultz wrote:
> > Mark,
> >
> > On 3/22/23 07:38, Mark Thomas wrote:
> >> Any more thoughts on this?
> >>
> >> There hasn't been much movement from the spec EG on this, so my
> >> current thinking is to rever
On 23/03/2023 20:20, Christopher Schultz wrote:
Mark,
On 3/22/23 07:38, Mark Thomas wrote:
Any more thoughts on this?
There hasn't been much movement from the spec EG on this, so my
current thinking is to revert this change for 10.1.x and earlier to
wait and see what the Servlet EG decides.
Mark,
On 3/22/23 07:38, Mark Thomas wrote:
Any more thoughts on this?
There hasn't been much movement from the spec EG on this, so my current
thinking is to revert this change for 10.1.x and earlier to wait and see
what the Servlet EG decides.
I'd like to leave our changes in, but I underst
On 23/03/2023 12:02, Konstantin Kolinko wrote:
Thanks for the continued feedback. Having someone to bounce ideas off is
really helpful.
ср, 22 мар. 2023 г. в 14:38, Mark Thomas :
Any more thoughts on this?
1. If we cannot agree on the required behaviour, it is one more reason
to make it
ср, 22 мар. 2023 г. в 14:38, Mark Thomas :
>
> Any more thoughts on this?
>
1. If we cannot agree on the required behaviour, it is one more reason
to make it configurable.
As I said, it would be more useful to configure it at a Context.
2. Regarding the default behaviour,
Throwing an exception
Any more thoughts on this?
There hasn't been much movement from the spec EG on this, so my current
thinking is to revert this change for 10.1.x and earlier to wait and see
what the Servlet EG decides.
Mark
On 15/03/2023 15:05, Mark Thomas wrote:
On 15/03/2023 11:22, Konstantin Kolinko wrot
On 15/03/2023 11:22, Konstantin Kolinko wrote:
ср, 15 мар. 2023 г. в 13:29, Konstantin Kolinko :
ср, 15 мар. 2023 г. в 13:15, Konstantin Kolinko :
ср, 15 мар. 2023 г. в 12:07, Mark Thomas :
On 14/03/2023 21:13, Christopher Schultz wrote:
On 3/14/23 13:57, Mark Thomas wrote:
On 09/03/2023 14:
ср, 15 мар. 2023 г. в 13:15, Konstantin Kolinko :
>
> [...]
>
> -1 unless the behaviour of "silently dropping extra parameters" is
> changed as well.
>
> Silent loss of data is not what I want to see in production.
>
> Documentation [1] says "Request parameters beyond this limit will be ignored."
>
ср, 15 мар. 2023 г. в 13:29, Konstantin Kolinko :
>
> ср, 15 мар. 2023 г. в 13:15, Konstantin Kolinko :
> >
> > ср, 15 мар. 2023 г. в 12:07, Mark Thomas :
> > >
> > > On 14/03/2023 21:13, Christopher Schultz wrote:
> > > > Mark,
> > > >
> > > > On 3/14/23 13:57, Mark Thomas wrote:
> > > >> On 09/03
ср, 15 мар. 2023 г. в 13:15, Konstantin Kolinko :
>
> ср, 15 мар. 2023 г. в 12:07, Mark Thomas :
> >
> > On 14/03/2023 21:13, Christopher Schultz wrote:
> > > Mark,
> > >
> > > On 3/14/23 13:57, Mark Thomas wrote:
> > >> On 09/03/2023 14:23, Christopher Schultz wrote:
> > >>> Mark,
> > >>>
> > >>>
ср, 15 мар. 2023 г. в 12:07, Mark Thomas :
>
> On 14/03/2023 21:13, Christopher Schultz wrote:
> > Mark,
> >
> > On 3/14/23 13:57, Mark Thomas wrote:
> >> On 09/03/2023 14:23, Christopher Schultz wrote:
> >>> Mark,
> >>>
> >>> On 3/9/23 05:56, Mark Thomas wrote:
> Hi all,
>
> In the
On 14/03/2023 21:13, Christopher Schultz wrote:
Mark,
On 3/14/23 13:57, Mark Thomas wrote:
On 09/03/2023 14:23, Christopher Schultz wrote:
Mark,
On 3/9/23 05:56, Mark Thomas wrote:
Hi all,
In the context of CVE-2023-24998 (performance issues for large
numbers of uploaded parts), I have bee
Mark,
On 3/14/23 13:57, Mark Thomas wrote:
On 09/03/2023 14:23, Christopher Schultz wrote:
Mark,
On 3/9/23 05:56, Mark Thomas wrote:
Hi all,
In the context of CVE-2023-24998 (performance issues for large
numbers of uploaded parts), I have been wondering about reducing the
default value for
On 09/03/2023 14:23, Christopher Schultz wrote:
Mark,
On 3/9/23 05:56, Mark Thomas wrote:
Hi all,
In the context of CVE-2023-24998 (performance issues for large numbers
of uploaded parts), I have been wondering about reducing the default
value for maxParameterCount.
The current default for
Mark,
On 3/9/23 05:56, Mark Thomas wrote:
Hi all,
In the context of CVE-2023-24998 (performance issues for large numbers
of uploaded parts), I have been wondering about reducing the default
value for maxParameterCount.
The current default for maxParameterCount is 10,000. It was set based on
Hi all,
In the context of CVE-2023-24998 (performance issues for large numbers
of uploaded parts), I have been wondering about reducing the default
value for maxParameterCount.
The current default for maxParameterCount is 10,000. It was set based on
it being low enough to mitigate CVE-2012-0
25 matches
Mail list logo
