I had some tests on a servlet with @MultipartConfig and getParts() and find that the hash collision attack was still in place.
Parameters like below cause the problem. ********************************************************* --abc Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyEyEyEy" 1 --abc Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyEyEyFZ" 1 --abc Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyEyFZEy" 1 --abc Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyEyFZFZ" 1 --abc Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyFZEyEy" 1 --abc Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyFZEyFZ" 1 (repeat) ********************************************************* As I wrote, the number of parameters is not limited to 10000. Thanks. -- Kanatoko http://www.jumperz.net/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
