tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kanatoko <an...@jumperz.net>
Subject Re: maxParameterCount not applied to multipart requests
Date Tue, 08 May 2012 07:27:14 GMT
I had some tests on a servlet with @MultipartConfig and getParts()
and find that the hash collision attack was still in place.

Parameters like below cause the problem.
*********************************************************
--abc
Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyEyEyEy"

1
--abc
Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyEyEyFZ"

1
--abc
Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyEyFZEy"

1
--abc
Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyEyFZFZ"

1
--abc
Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyFZEyEy"

1
--abc
Content-Disposition: form-data; name="EyEyEyEyEyEyEyEyEyEyEyEyFZEyFZ"

1
(repeat)
*********************************************************

As I wrote, the number of parameters is not limited to 10000.

Thanks.

-- 
Kanatoko
http://www.jumperz.net/




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message