On 07/05/2012 22:10, André Warnier wrote: > Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Mark, >> >> On 5/6/12 5:05 AM, Mark Thomas wrote: >>> On 05/05/2012 12:25, Kanatoko wrote: >>>> Hello list, >>>> >>>> It seems that the Connector attribute "maxParameterCount" is not >>>> applied to multipart requests. >>> Correct. This is by design. >> >> Doesn't that make it trivial to launch a DOS on a server by simply >> using multipart/form-data?
Only if the application does something stupid which would make it an application issue not a Tomcat one. Tomcat only processes these requests for Servlet 3.0 file upload and there are already sufficient limits in place for that case to prevent a DoS. >> Why not limit parameters for multipart messages? > > Impish guess : because "by design" means that it is a lot harder to go > dig into the code borrowed from Commons/FileUpload and to modify it to > find out and limit the number of parameters ? > (and probably a "patches welcome" to follow) Nope. See above. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
