Mark Thomas wrote:
Yep, a one line fix was required. Fixed in trunk and 7.0.x and will be
in 7.0.28 omwards.
Mark
I have confirmed that this issue is fixed in tomcat 7 trunk.
Thank you Mark.
--
Kanatoko
http://www.jumperz.net/
---
On 08/05/2012 10:56, Mark Thomas wrote:
> On 08/05/2012 10:28, André Warnier wrote:
>> Christopher Schultz wrote:
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> Mark,
>>>
>>> On 5/7/12 5:21 PM, Mark Thomas wrote:
> Christopher Schultz wrote:
Tomcat only processes these reque
On 08/05/2012 10:28, André Warnier wrote:
> Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Mark,
>>
>> On 5/7/12 5:21 PM, Mark Thomas wrote:
Christopher Schultz wrote:
>>> Tomcat only processes these requests for Servlet 3.0 file upload
>>> and there are a
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/7/12 5:21 PM, Mark Thomas wrote:
Christopher Schultz wrote:
Tomcat only processes these requests for Servlet 3.0 file upload
and there are already sufficient limits in place for that case to
prevent a DoS.
A
I had some tests on a servlet with @MultipartConfig and getParts()
and find that the hash collision attack was still in place.
Parameters like below cause the problem.
*
--abc
Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyEyE
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/7/12 5:21 PM, Mark Thomas wrote:
>> Christopher Schultz wrote:
>
> Tomcat only processes these requests for Servlet 3.0 file upload
> and there are already sufficient limits in place for that case to
> prevent a DoS.
Aah, right: multipart
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/05/2012 22:22, Christopher Schultz wrote:
> André,
>
> On 5/7/12 5:10 PM, André Warnier wrote:
>> Christopher Schultz wrote:
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>>>
>>> Mark,
>>>
>>> On 5/6/12 5:05 AM, Mark Thomas wrote:
On
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 5/7/12 5:10 PM, André Warnier wrote:
> Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>>
>> Mark,
>>
>> On 5/6/12 5:05 AM, Mark Thomas wrote:
>>> On 05/05/2012 12:25, Kanatoko wrote:
Hello list,
On 07/05/2012 22:10, André Warnier wrote:
> Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Mark,
>>
>> On 5/6/12 5:05 AM, Mark Thomas wrote:
>>> On 05/05/2012 12:25, Kanatoko wrote:
Hello list,
It seems that the Connector attribute "maxParameterC
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/6/12 5:05 AM, Mark Thomas wrote:
On 05/05/2012 12:25, Kanatoko wrote:
Hello list,
It seems that the Connector attribute "maxParameterCount" is not
applied to multipart requests.
Correct. This is by design.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/6/12 5:05 AM, Mark Thomas wrote:
> On 05/05/2012 12:25, Kanatoko wrote:
>> Hello list,
>>
>> It seems that the Connector attribute "maxParameterCount" is not
>> applied to multipart requests.
>
> Correct. This is by design.
Doesn't that
On 05/05/2012 12:25, Kanatoko wrote:
> Hello list,
>
> It seems that the Connector attribute "maxParameterCount" is not applied
> to multipart requests.
Correct. This is by design.
> (And, the default value is -1, maybe it should be 1.)
Wrong. The default is 1, as per the documentation.
Hello list,
It seems that the Connector attribute "maxParameterCount" is not applied
to multipart requests.
(And, the default value is -1, maybe it should be 1.)
Tested version: Tomcat 7 trunk
Thanks.
--
Kanatoko
http://www.jumperz.net/
13 matches
Mail list logo
