I had some tests on a servlet with @MultipartConfig and getParts()
and find that the hash collision attack was still in place.
Parameters like below cause the problem.
*
--abc
Content-Disposition: form-data;
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/7/12 5:21 PM, Mark Thomas wrote:
Christopher Schultz wrote:
Tomcat only processes these requests for Servlet 3.0 file upload
and there are already sufficient limits in place for that case to
prevent a DoS.
On 08/05/2012 10:28, André Warnier wrote:
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/7/12 5:21 PM, Mark Thomas wrote:
Christopher Schultz wrote:
Tomcat only processes these requests for Servlet 3.0 file upload
and there are already sufficient
On 08/05/2012 10:56, Mark Thomas wrote:
On 08/05/2012 10:28, André Warnier wrote:
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/7/12 5:21 PM, Mark Thomas wrote:
Christopher Schultz wrote:
Tomcat only processes these requests for Servlet 3.0 file
Mark Thomas wrote:
Yep, a one line fix was required. Fixed in trunk and 7.0.x and will be
in 7.0.28 omwards.
Mark
I have confirmed that this issue is fixed in tomcat 7 trunk.
Thank you Mark.
--
Kanatoko
http://www.jumperz.net/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/6/12 5:05 AM, Mark Thomas wrote:
On 05/05/2012 12:25, Kanatoko wrote:
Hello list,
It seems that the Connector attribute maxParameterCount is not
applied to multipart requests.
Correct. This is by design.
Doesn't that make it
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/6/12 5:05 AM, Mark Thomas wrote:
On 05/05/2012 12:25, Kanatoko wrote:
Hello list,
It seems that the Connector attribute maxParameterCount is not
applied to multipart requests.
Correct. This is by design.
On 07/05/2012 22:10, André Warnier wrote:
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/6/12 5:05 AM, Mark Thomas wrote:
On 05/05/2012 12:25, Kanatoko wrote:
Hello list,
It seems that the Connector attribute maxParameterCount is not
applied to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 5/7/12 5:10 PM, André Warnier wrote:
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
Mark,
On 5/6/12 5:05 AM, Mark Thomas wrote:
On 05/05/2012 12:25, Kanatoko wrote:
Hello list,
It seems that the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/05/2012 22:22, Christopher Schultz wrote:
André,
On 5/7/12 5:10 PM, André Warnier wrote:
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1
Mark,
On 5/6/12 5:05 AM, Mark Thomas wrote:
On 05/05/2012 12:25,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 5/7/12 5:21 PM, Mark Thomas wrote:
Christopher Schultz wrote:
Tomcat only processes these requests for Servlet 3.0 file upload
and there are already sufficient limits in place for that case to
prevent a DoS.
Aah, right: multipart is
On 05/05/2012 12:25, Kanatoko wrote:
Hello list,
It seems that the Connector attribute maxParameterCount is not applied
to multipart requests.
Correct. This is by design.
(And, the default value is -1, maybe it should be 1.)
Wrong. The default is 1, as per the documentation.
Hello list,
It seems that the Connector attribute maxParameterCount is not applied
to multipart requests.
(And, the default value is -1, maybe it should be 1.)
Tested version: Tomcat 7 trunk
Thanks.
--
Kanatoko
http://www.jumperz.net/
13 matches
Mail list logo