-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 5/7/12 5:10 PM, André Warnier wrote: > Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> Mark, >> >> On 5/6/12 5:05 AM, Mark Thomas wrote: >>> On 05/05/2012 12:25, Kanatoko wrote: >>>> Hello list, >>>> >>>> It seems that the Connector attribute "maxParameterCount" is >>>> not applied to multipart requests. >>> Correct. This is by design. >> >> Doesn't that make it trivial to launch a DOS on a server by >> simply using multipart/form-data? >> >> Why not limit parameters for multipart messages? > > Impish guess : because "by design" means that it is a lot harder to > go dig into the code borrowed from Commons/FileUpload and to modify > it to find out and limit the number of parameters ? Probably not: commons-fileupload isn't a dependency of Tomcat, at least not in trunk. Tomcat performs its own multipart handling in o.a.c.connector.Request.parseParts. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+oPRgACgkQ9CaO5/Lv0PAcTgCfUQfTQT+kvWq42E9ECIBTXgiN oEYAnRdnbUmTirs+CNJWFo1WwO5QPRW1 =dgQ6 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
