Hi!
Currently it's 10.1.39 as I wanted to avoid 10.1.42 but I get the same
unpredictable behaviour from both.
I had 10.1.39 for some time before upgrading to 10.1.42 but no one reported
that form is not working which is not a proof that it was working correctly.
Thanks for your time!
BR,
Hrvoje.
root@ubuntu-8gb-nbg1-1:~ # nginx -v
nginx version: nginx/1.24.0 (Ubuntu)
root@ubuntu-8gb-nbg1-1:/opt/tomcat # ls -al
drwxr-xr-x 4 root root 4096 Jul 4 14:43 .
drwxr-xr-x 3 root root 4096 May 18 2023 ..
lrwxrwxrwx 1 root root 19 Jul 4 14:43 logs -> tomcat-10.1.39/logs
lrwxrwxrwx 1 root root 14 Jul 4 14:43 tomcat10 -> tomcat-10.1.39
drwxr-xr-x 9 tomcat tomcat 4096 Jun 17 00:48 tomcat-10.1.39
drwxr-xr-x 9 tomcat tomcat 4096 Jun 17 00:43 tomcat-10.1.42
lrwxrwxrwx 1 root root 22 Jul 4 14:43 webapps ->
tomcat-10.1.39/webapps
-rw-r----- 1 tomcat tomcat 36768248 Jun 17 00:22 catalina.out.gz
-rw-r--r-- 1 root root 143 Jun 19 22:58 README.TXT
root@ubuntu-8gb-nbg1-1:/opt/tomcat/tomcat10/conf # cat server.xml
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener
className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener
className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase" description="User database that can
be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml"/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" maxParameterCount="1000"
maxPartCount="1000"/>
<Engine name="Catalina" defaultHost="localhost">
<Realm
className="org.apache.catalina.realm.LockOutRealm">
<Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve
className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t
"%r" %s %b"/>
</Host>
</Engine>
</Service>
</Server>
On Wed, Jul 9, 2025 at 8:32 PM Christopher Schultz <
[email protected]> wrote:
> Hrvoje,
>
> On 7/9/25 1:04 PM, Hrvoje Lončar wrote:
> > This is the form:
> > https://thevegcat.com/suggest
> >
> > 13 fields are visible plus file field and few are hidden fields including
> > csrf token - nothing special or extreme.
> > Web app is published 6 years ago and all those years there was no trouble
> > at all.
>
> Which exact version of Tomcat is being used?
>
> Thanks,
> -chris
>
> > On Wed, 9 Jul 2025, 16:14 Christopher Schultz, <
> [email protected]>
> > wrote:
> >
> >> Hrvoje,
> >>
> >> On 7/6/25 7:33 AM, Hrvoje Lončar wrote:
> >> > After recent Tomcat security changes, my POST request are failing
> >> > but not all the time. The problem is that the same request sometimes
> >> > ends up with an error and sometimes not.
> >> >
> >> > Tomcat is 10.0.42 protected by nginx which handles SSL certificate
> and
> >> > forwards dynamic requests to Tomcat.>
> >> > [snip]
> >> >
> >> > <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"
> >> > redirectPort="8443" maxParameterCount="1000" maxPartCount="1000"/>
> >>
> >> Are you anywhere near approaching your parameter limit of 1000?
> >>
> >> Is the nginx access log showing the _csrf parameters in the URL? How
> >> about the Tomcat log?
> >>
> >> -chris
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [email protected]
> >> For additional commands, e-mail: [email protected]
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
--
*TheVegCat.com <https://thevegcat.com/>*
*VegCook.net <https://vegcook.net/>*
*horvoje.net <https://horvoje.net/>*
