tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <Yoav.Shap...@mpi.com>
Subject RE: Security issue: parameter size.
Date Wed, 14 May 2003 14:37:08 GMT

Howdy,
It'd be nice if you could write a test case, and post it to the list
along with the tool we can use to run the test.

Yoav Shapira
Millennium ChemInformatics


>-----Original Message-----
>From: szhu@SonicWALL.com [mailto:szhu@SonicWALL.com]
>Sent: Tuesday, May 13, 2003 5:55 PM
>To: tomcat-user@jakarta.apache.org
>Subject: Security issue: parameter size.
>
>Hi,
>
>If a user POST a parameter of huge size (e.g., send 1GB as the user
name in
>a typical login page), will that
>crash Tomcat due to OutOfMemoryException? because by the time a
servlet's
>service method is called, the parameters are already in memory, so
checking
>request.getContentLength() probably doesn't help. Filters' doFilter()
>method has the same problem. I didn't go through the coyote
connector/http
>connector code to check when the parameters are actually constructed,
but
>my impression is that all parameters/headers are already parsed and
stored
>in some in-memory data structure (e.g., Map) before the http connector
>hands over the request to the servlet container, is that right? I guess
one
>can use a web server such as Apache to reject these POSTs, can one do
>something in Tomcat itself? Thanks.
>
>Shunhui
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message