Re: maxParameterCount not applied to multipart requests

Mark Thomas Mon, 07 May 2012 14:25:17 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/05/2012 22:22, Christopher Schultz wrote:
> André,
> 
> On 5/7/12 5:10 PM, André Warnier wrote:
>> Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>> 
>>> Mark,
>>> 
>>> On 5/6/12 5:05 AM, Mark Thomas wrote:
>>>> On 05/05/2012 12:25, Kanatoko wrote:
>>>>> Hello list,
>>>>> 
>>>>> It seems that the Connector attribute "maxParameterCount"
>>>>> is not applied to multipart requests.
>>>> Correct. This is by design.
>>> 
>>> Doesn't that make it trivial to launch a DOS on a server by 
>>> simply using multipart/form-data?
>>> 
>>> Why not limit parameters for multipart messages?
> 
>> Impish guess : because "by design" means that it is a lot harder
>> to go dig into the code borrowed from Commons/FileUpload and to
>> modify it to find out and limit the number of parameters ?
> 
> Probably not: commons-fileupload isn't a dependency of Tomcat, at 
> least not in trunk. Tomcat performs its own multipart handling in 
> o.a.c.connector.Request.parseParts.


That is a packaged renamed fork of commons file upload.

Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqD24AAoJEBDAHFovYFnn7K8QAJ2jSzQcFq8gZ6RP0rKIQqRv
Y79bgUOqE3uNnDJcDfLZJz30RTOL4jGKWM94RHPOT7VyGZrQCagg+LdsXDK3OB81
4TLOkX4UgmtJUU23yHrP9GdtwIOgc6dM/B2U6RUKoRovXz3i6nCcxLyZCxeid2kv
sQFLhatr4ZlGDP7zZb0mwoVrqfNLQK5GdGNbEHf76KAkJO70UzukbaynBiOYzuFs
xhB+j++pxvwKqWTWoubWpaZF3872DC7eMtXRaDrPE0jlhzjPb2fVtXgJ1YdaW77L
WvIoAkzvzmnsxNuYyuvZSIIOa0oF/fYmqa3vQgA0BEkc68Z8/E+56wORTVvlD2nr
spYv0bSHbOh2L6lohlfxVPdWlgRGnPrD7WwemWKTekStxvLcQtOW0dbLTowQJHw4
hfktr+EM6WzdXLM0/OGHJb4G7X4GCEtgJ37KZcQ9aFwZuigggD26XrTU8T/Lc+mF
rpkjyXf7wAncnyoY4dliEPOp19aLz/rt0sQ/7y2Pq9GzXyACtBz8GHmJzOVBVA/m
u1YHta/pySnkeYWp2zsTGiPlj7736MH9okdt9DgXElHsX51rzbzs/wiMZ4rSNv67
k7voLXv/AkaseKEJ8GJf3Dv8mqovaLA4BsgdnjOhAwEEz4GFUDC3EM0BBCB7Wn07
F9ONxVdq7EgSJWX3Iqfr
=niIb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: maxParameterCount not applied to multipart requests

Reply via email to