Hi, The exact version of tomcat I am working with is 7.0.27 I am verifying the fix discussed here
http://news.softpedia.com/news/Apache-Tomcat-Workaround-for-Hashtable-Collision-DoS-Vulnerability-243544.shtml Here is the snippet of implementation [ org.apache.tomcat.util.http.Parameters.java] private int limit = -1; ----------------> this is being set to the value of maxParameterCount mentioned in Connector tag of server.xml private int parameterCount = 0; public void addParameter( String key, String value ) throws IllegalStateException { if( key==null ) { return; } parameterCount ++; if (limit > -1 && parameterCount > limit) { // Processing this parameter will push us over the limit. ISE is // what Request.parseParts() uses for requests that are too big parseFailed = true; throw new IllegalStateException(sm.getString( "parameters.maxCountFail", Integer.valueOf(limit))); } ArrayList<String> values = paramHashValues.get(key); if (values == null) { values = new ArrayList<String>(1); paramHashValues.put(key, values); } values.add(value); } now what happens when number of request parameters exceeds maxParameterCount ? -Manjesh On Thu, May 31, 2012 at 2:39 AM, Konstantin Kolinko <knst.koli...@gmail.com> wrote: > 2012/5/30 manjesh <manjes...@gmail.com>: >> Hi , >> I have downloaded tomcat 7.1 for Windows OS >> > > 1. There is no such version. I do not know what you are testing. > >> added the following parameter (maxParameterCoun) into server.xml >> >> <Connector port="8080" protocol="HTTP/1.1" >> connectionTimeout="20000" >> redirectPort="8443" maxParameterCount="5"/> >> >> >> >> restarted the server. >> >> to test this fix , I created a JSP with 6 text fields having same name >> ( example <input type="text" name="username"/> 6 input boxes ) >> when I give input for all of these input fields and click on submit, >> still the request is being processed... >> I am expecting the request processing should be aborted and >> illegateStateException must be thrown according to the fix done in >> Parameters class of (tomcat-coyote.jar) >> > > 2. Your expectations are wrong. Documentation for that option in > configuration reference says exactly what happens what you have more > parameters than specified by that option. > > An IllegalStateException cannot be thrown, because Servlet API does > not allow that. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- Regards Manjesh --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
