Re: maxParameterCount not applied to multipart requests
I had some tests on a servlet with @MultipartConfig and getParts() and find that the hash collision attack was still in place. Parameters like below cause the problem. * --abc Content-Disposition: form-data; name=EyEyEyEyEyEyEyEyEyEyEyEyEyEyEy 1 --abc Content-Disposition: form-data; name=EyEyEyEyEyEyEyEyEyEyEyEyEyEyFZ 1 --abc Content-Disposition: form-data; name=EyEyEyEyEyEyEyEyEyEyEyEyEyFZEy 1 --abc Content-Disposition: form-data; name=EyEyEyEyEyEyEyEyEyEyEyEyEyFZFZ 1 --abc Content-Disposition: form-data; name=EyEyEyEyEyEyEyEyEyEyEyEyFZEyEy 1 --abc Content-Disposition: form-data; name=EyEyEyEyEyEyEyEyEyEyEyEyFZEyFZ 1 (repeat) * As I wrote, the number of parameters is not limited to 1. Thanks. -- Kanatoko http://www.jumperz.net/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: maxParameterCount not applied to multipart requests
Mark Thomas wrote: Yep, a one line fix was required. Fixed in trunk and 7.0.x and will be in 7.0.28 omwards. Mark I have confirmed that this issue is fixed in tomcat 7 trunk. Thank you Mark. -- Kanatoko http://www.jumperz.net/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
maxParameterCount not applied to multipart requests
Hello list, It seems that the Connector attribute maxParameterCount is not applied to multipart requests. (And, the default value is -1, maybe it should be 1.) Tested version: Tomcat 7 trunk Thanks. -- Kanatoko http://www.jumperz.net/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org