Re: how to test hash collision security fix in tomcat 7.1
2012/5/31 manjesh : > Hi, > The exact version of tomcat I am working with is 7.0.27 > > I am verifying the fix discussed here > > http://news.softpedia.com/news/Apache-Tomcat-Workaround-for-Hashtable-Collision-DoS-Vulnerability-243544.shtml > > > Here is the snippet of implementation [ ... ] 1. The docs are here: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html 2. IllegalStateException is caught and never returned to the caller of Servlet API You can run Tomcat under debugger if you want to trace the implementation details. http://wiki.apache.org/tomcat/FAQ/Developing#Debugging Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to test hash collision security fix in tomcat 7.1
Hi, The exact version of tomcat I am working with is 7.0.27 I am verifying the fix discussed here http://news.softpedia.com/news/Apache-Tomcat-Workaround-for-Hashtable-Collision-DoS-Vulnerability-243544.shtml Here is the snippet of implementation [ org.apache.tomcat.util.http.Parameters.java] private int limit = -1; > this is being set to the value of maxParameterCount mentioned in Connector tag of server.xml private int parameterCount = 0; public void addParameter( String key, String value ) throws IllegalStateException { if( key==null ) { return; } parameterCount ++; if (limit > -1 && parameterCount > limit) { // Processing this parameter will push us over the limit. ISE is // what Request.parseParts() uses for requests that are too big parseFailed = true; throw new IllegalStateException(sm.getString( "parameters.maxCountFail", Integer.valueOf(limit))); } ArrayList values = paramHashValues.get(key); if (values == null) { values = new ArrayList(1); paramHashValues.put(key, values); } values.add(value); } now what happens when number of request parameters exceeds maxParameterCount ? -Manjesh On Thu, May 31, 2012 at 2:39 AM, Konstantin Kolinko wrote: > 2012/5/30 manjesh : >> Hi , >> I have downloaded tomcat 7.1 for Windows OS >> > > 1. There is no such version. I do not know what you are testing. > >> added the following parameter (maxParameterCoun) into server.xml >> >> > connectionTimeout="2" >> redirectPort="8443" maxParameterCount="5"/> >> >> >> >> restarted the server. >> >> to test this fix , I created a JSP with 6 text fields having same name >> ( example 6 input boxes ) >> when I give input for all of these input fields and click on submit, >> still the request is being processed... >> I am expecting the request processing should be aborted and >> illegateStateException must be thrown according to the fix done in >> Parameters class of (tomcat-coyote.jar) >> > > 2. Your expectations are wrong. Documentation for that option in > configuration reference says exactly what happens what you have more > parameters than specified by that option. > > An IllegalStateException cannot be thrown, because Servlet API does > not allow that. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- Regards Manjesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to test hash collision security fix in tomcat 7.1
2012/5/30 manjesh : > Hi , > I have downloaded tomcat 7.1 for Windows OS > 1. There is no such version. I do not know what you are testing. > added the following parameter (maxParameterCoun) into server.xml > > connectionTimeout="2" > redirectPort="8443" maxParameterCount="5"/> > > > > restarted the server. > > to test this fix , I created a JSP with 6 text fields having same name > ( example 6 input boxes ) > when I give input for all of these input fields and click on submit, > still the request is being processed... > I am expecting the request processing should be aborted and > illegateStateException must be thrown according to the fix done in > Parameters class of (tomcat-coyote.jar) > 2. Your expectations are wrong. Documentation for that option in configuration reference says exactly what happens what you have more parameters than specified by that option. An IllegalStateException cannot be thrown, because Servlet API does not allow that. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
how to test hash collision security fix in tomcat 7.1
Hi , I have downloaded tomcat 7.1 for Windows OS added the following parameter (maxParameterCoun) into server.xml restarted the server. to test this fix , I created a JSP with 6 text fields having same name ( example 6 input boxes ) when I give input for all of these input fields and click on submit, still the request is being processed... I am expecting the request processing should be aborted and illegateStateException must be thrown according to the fix done in Parameters class of (tomcat-coyote.jar) am I doing test correctly..? please help me Note: I have also tried adding parameter to JAVA_OPTS in run.bat -- Regards Manjesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org