On 08/01/2014 21:47, Dames, Kristopher J wrote:
My webapp needs to pass several thousand parameters in an HTTP POST
request. I am required to use RHEL's tomcat packages (currently on
6.0.24). I figured out Red Hat has capped the maximum HTTP parameters
at 512 and to get around it, I have to add the Java parameter
-Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=5000 to the JVM.
I know this isn't strictly a Tomcat issue since the problem is Red
Hat's doing, but is anyone aware if it is possible to set this value
to unlimited? I tried setting it to 0 and -1 but they were treated
as literal values.
Sorry, you'll have to take that up with RedHat. They opted to apply
their own solution rather than back-port the official fix.
The official fix (the maxParameterCount attribute of the connector) has
a default of 1 and any value less than 0 is treated as unlimited.
There are two security issues here:
1) The Java hash collision issue (CVE-2011-4858)
2) Tomcat parameter processing inefficiencies (CVE-2012-0022)
CVE-2012-0022 may mean that processing thousands of parameters is really
slow. You may see significant performance improvements if you switch to
even the latest 6.0.x
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
