RE: maxParameterCount with Tomcat 5.5.23
For my Red Hat delivered Tomcat, changes to the connector attribute were ignored. However, I did find a fix that works. In tomcat5.conf, after all other settings are added to JAVA_OPTS, add the value you desire for max parameter count like this: # RH KB 100383 # Override default max parameter count of 512 JAVA_OPTS=$JAVA_OPTS -Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=1 The Red Hat KB article references JBoss run script, but the above works fine for standalone Tomcat. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, May 11, 2012 3:51 PM To: Tomcat Users List Subject: RE: maxParameterCount with Tomcat 5.5.23 From: Haenni, Tia [mailto:thae...@burnsmcd.com] Subject: RE: maxParameterCount with Tomcat 5.5.23 I read some posts where it was apparently ignored and the default used instead. It would be interesting to know who's publishing such garbage. Can you confirm that setting maxParameterCount in the connector attribute will override the default? Not on a Tomcat mangled by Red Hat - you're on your own with that. If you use a real Tomcat, it will certainly work. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
maxParameterCount with Tomcat 5.5.23
A recent RHEL patch supplied the following Tomcat packages which attempt to address a possible DoS attack as outlines at the link below: tomcat5-jasper-5.5.23-0jpp.31.el5_8 tomcat5-server-lib-5.5.23-0jpp.31.el5_8 tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8 tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8 tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8 tomcat5-common-lib-5.5.23-0jpp.31.el5_8 tomcat5-webapps-5.5.23-0jpp.31.el5_8 tomcat5-5.5.23-0jpp.31.el5_8 http://rhn.redhat.com/errata/RHSA-2012-0474.html Since then I've encountered a problem with exceeding the maxParameterCount which seems to default at 512: May 4, 2012 2:30:27 PM org.apache.catalina.connector.Request parseParameters WARNING: Exception thrown whilst processing POSTed parameters java.lang.IllegalStateException: Parameter count exceeded allowed maximum: 512 at org.apache.tomcat.util.http.Parameters.addParam(Parameters.java:331) at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:407) at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:358) at org.apache.catalina.connector.Request.parseParameters(Request.java:2400) at org.apache.catalina.connector.Request.getParameterValues(Request.java:1063) at org.apache.catalina.connector.RequestFacade.getParameterValues(RequestFacade.java:394). I do not need it to be the old default of 1 and I don't think I want to set it to unlimited (-1) but I do need more than 512 for the application I am supporting. Does anyone know how to tweak the maxParameterCount in a standalone Tomcat listening on 8080, requests are sent via Apache listening on 80? This is not Tomcat as supplied with JBoss, so a fix such as that detailed at the link below I do not think will work: http://docs.redhat.com/docs/en-US/JBoss_Communications_Platform/5.1/html/5.1.3_Release_Notes/ar01s05.html Thanks in advance!
RE: maxParameterCount with Tomcat 5.5.23
Chuck, Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now. I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead. Can you confirm that setting maxParameterCount in the connector attribute will override the default? Thanks. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Friday, May 11, 2012 3:19 PM To: Tomcat Users List Subject: RE: maxParameterCount with Tomcat 5.5.23 From: Haenni, Tia [mailto:thae...@burnsmcd.com] Subject: maxParameterCount with Tomcat 5.5.23 A recent RHEL patch supplied the following Tomcat packages Note that 5.5.23 is over five years old... You might want to consider installing a real Tomcat from tomcat.apache.org instead of a 3rd-party mangled, horribly out-of-date version. There are many more serious problems fixed in current levels. Since then I've encountered a problem with exceeding the maxParameterCount which seems to default at 512: That's not the default in a standard Tomcat. Congratulate Red Hat on breaking things. Does anyone know how to tweak the maxParameterCount Read the docs: http://tomcat.apache.org/tomcat-5.5-doc/config/http.html - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: maxParameterCount with Tomcat 5.5.23
Konstantin, I am aware of the EOL for 5.5. We plan to upgrade to 6.x (whatever version RH decides to bestow upon us) Thanks! -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Friday, May 11, 2012 3:43 PM To: Tomcat Users List Subject: Re: maxParameterCount with Tomcat 5.5.23 2012/5/12 Haenni, Tia thae...@burnsmcd.com: Chuck, Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now. I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead. Can you confirm that setting maxParameterCount in the connector attribute will override the default? It should, but that is up to you to confirm. You have that strange version of Tomcat, we do not. BTW Note, that ASF support of Tomcat 5.5.x branch ends in several months, http://tomcat.apache.org/tomcat-55-eol.html Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
