tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: maxParameterCount not applied to multipart requests
Date Tue, 08 May 2012 09:56:16 GMT
On 08/05/2012 10:28, André Warnier wrote:
> Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Mark,
>>
>> On 5/7/12 5:21 PM, Mark Thomas wrote:
>>>> Christopher Schultz wrote:
>>> Tomcat only processes these requests for Servlet 3.0 file upload
>>> and there are already sufficient limits in place for that case to
>>> prevent a DoS.
>>
>> Aah, right: multipart is only supported if the servlet has been marked
>> as such, and therefore the developer knows to expect large mounts of
>> data (and can configure such limits).
>>
>> The wildcard is the "casual multipart parsing" which allows any
>> multipart request to be parsed without regard for such limits. Any
>> limits (data size) imposed on the connector will be used in those
>> cases, but "maximum number of parameters" is not one of them. I should
>> probably update the documentation for that feature to make a note of
>> this caveat.
>>
> 
> From the documentation of Commons/fileUpload, it would seem rather
> simple - for a Java guru - to implement a counter while processing the
> POSTed parameters, and ignore what is above maxParameterCount :
> 
> Sample code from http://commons.apache.org/fileupload/using.html :
> 
> // Process the uploaded items
> Iterator iter = items.iterator();
> while (iter.hasNext()) {
>     FileItem item = (FileItem) iter.next();
> 
>     if (item.isFormField()) {
>         processFormField(item);
>     } else {
>         processUploadedFile(item);
>     }
> }
> 
> (Maybe the "items" object above already has a "size" or "length" method,
> avoiding the counter logic altogether)
> 
> Of course by then, the POST has already been parsed, so I don't know if
> this would help a lot to avoid a DOS attack.
> But the maximum acceptable total size of the POST can be specified in
> advance, to avoid this.  After all, if someone wants to allow POSTs with
> 10,000 small parameters, then why not ?
> 
> I do not understand on the other hand the OP's later reference to a
> "hash collision". That sounds like a JVM issue, rather than a
> specifically Tomcat one, no ?

It is a JVM issue (in my view and many others) but one Oracle has chosen
not to fix.

maxParameterCount was put in place as a mitigation for this issue. It
looks like the OP may have a valid point regarding multi-part requests -
at least as far as the Servlet 3.0 upload code is concerned. I need to
do review the code to see exactly what is going on. Outside of Servlet
3.0 file upload, I don't believe it is a Tomcat concern.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message