Just a security issue.
Confirm that you are not listening only the necessary characters to know
that it doesnt match, that you are listening more. Because if you stop it
just when you know it will not match a hacker can easyly guest with is the
password. You should have a (big) min to listen before stopping it.
Sorry is this mail is useless (most probably), just a thought.
Chau,
Gaston
----- Original Message -----
From: "Pier P. Fumagalli" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, August 21, 2001 9:10 PM
Subject: Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandar
dServer.java
> Justin Erenkrantz at [EMAIL PROTECTED] wrote:
>
> > On Tue, Aug 21, 2001 at 06:51:52PM -0000, [EMAIL PROTECTED] wrote:
> >> craigmcc 01/08/21 11:51:52
> >>
> >> Modified: catalina/src/share/org/apache/catalina/core
> >> StandardServer.java
> >> Log:
> >> Fix for a DoS attack against the shutdown port, that could cause an
"out
> >> of memory" exception by sending a continuous stream of characters.
Now,
> >> Tomcat will only listen for enough characters to match or not-match
the
> >> required password, then it shuts the port.
> >
> > Now I'll know exactly how long the shutdown password is. =-) -- justin
>
> Good point... :(
>
> Pier
>
