On Tue, 21 Aug 2001, Christopher Cain wrote:
> "Pier P. Fumagalli" wrote:
> >
> > Justin Erenkrantz at [EMAIL PROTECTED] wrote:
> >
> > > On Tue, Aug 21, 2001 at 06:51:52PM -0000, [EMAIL PROTECTED] wrote:
> > >> craigmcc 01/08/21 11:51:52
> > >>
> > >> Modified: catalina/src/share/org/apache/catalina/core
> > >> StandardServer.java
> > >> Log:
> > >> Fix for a DoS attack against the shutdown port, that could cause an "out
> > >> of memory" exception by sending a continuous stream of characters. Now,
> > >> Tomcat will only listen for enough characters to match or not-match the
> > >> required password, then it shuts the port.
> > >
> > > Now I'll know exactly how long the shutdown password is. =-) -- justin
> >
> > Good point... :(
> >
> > Pier
>
> It is a good point. Might I suggest shutting it off at an arbitrary
> limit instead ... say, 100 characters?
>
100 is a little short for paranoid sysadmins that use a really long
password :-). But you'll get a kick out of what I did implement :-).
> - Christopher
>
Craig
