tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Maximum HTTP parameters
Date Wed, 08 Jan 2014 22:11:57 GMT
On 08/01/2014 21:47, Dames, Kristopher J wrote:
> My webapp needs to pass several thousand parameters in an HTTP POST
> request. I am required to use RHEL's tomcat packages (currently on
> 6.0.24). I figured out Red Hat has capped the maximum HTTP parameters
> at 512 and to get around it, I have to add the Java parameter
> "-Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=5000" to the JVM.
> I know this isn't strictly a Tomcat issue since the problem is Red
> Hat's doing, but is anyone aware if it is possible to set this value
> to "unlimited"? I tried setting it to 0 and -1 but they were treated
> as literal values.

Sorry, you'll have to take that up with RedHat. They opted to apply
their own solution rather than back-port the official fix.

The official fix (the maxParameterCount attribute of the connector) has
a default of 10000 and any value less than 0 is treated as unlimited.

There are two security issues here:
1) The Java hash collision issue (CVE-2011-4858)
2) Tomcat parameter processing inefficiencies (CVE-2012-0022)

CVE-2012-0022 may mean that processing thousands of parameters is really
slow. You may see significant performance improvements if you switch to
even the latest 6.0.x

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message