tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: maxParameterCount not applied to multipart requests
Date Mon, 07 May 2012 21:22:32 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 5/7/12 5:10 PM, André Warnier wrote:
> Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> Mark,
>> 
>> On 5/6/12 5:05 AM, Mark Thomas wrote:
>>> On 05/05/2012 12:25, Kanatoko wrote:
>>>> Hello list,
>>>> 
>>>> It seems that the Connector attribute "maxParameterCount" is
>>>> not applied to multipart requests.
>>> Correct. This is by design.
>> 
>> Doesn't that make it trivial to launch a DOS on a server by
>> simply using multipart/form-data?
>> 
>> Why not limit parameters for multipart messages?
> 
> Impish guess : because "by design" means that it is a lot harder to
> go dig into the code borrowed from Commons/FileUpload and to modify
> it to find out and limit the number of parameters ?

Probably not: commons-fileupload isn't a dependency of Tomcat, at
least not in trunk. Tomcat performs its own multipart handling in
o.a.c.connector.Request.parseParts.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+oPRgACgkQ9CaO5/Lv0PAcTgCfUQfTQT+kvWq42E9ECIBTXgiN
oEYAnRdnbUmTirs+CNJWFo1WwO5QPRW1
=dgQ6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message