You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Cain <cc...@mhsoftware.com> on 2001/08/21 21:13:16 UTC
Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
"Pier P. Fumagalli" wrote:
>
> Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
>
> > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> >> craigmcc 01/08/21 11:51:52
> >>
> >> Modified: catalina/src/share/org/apache/catalina/core
> >> StandardServer.java
> >> Log:
> >> Fix for a DoS attack against the shutdown port, that could cause an "out
> >> of memory" exception by sending a continuous stream of characters. Now,
> >> Tomcat will only listen for enough characters to match or not-match the
> >> required password, then it shuts the port.
> >
> > Now I'll know exactly how long the shutdown password is. =-) -- justin
>
> Good point... :(
>
> Pier
It is a good point. Might I suggest shutting it off at an arbitrary
limit instead ... say, 100 characters?
- Christopher
Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by Christopher Cain <cc...@mhsoftware.com>.
"Craig R. McClanahan" wrote:
>
> On Tue, 21 Aug 2001, Christopher Cain wrote:
[snip]
> > Now, if you could just add a small random value to "expected" before you
> > drop into the "while > 0" loop to make it non-deterministic , please ...
> >
> > (just kidding ;-)
> >
>
> Don't laugh. That's what I had actually implemented after doing the +=
> 1024 thing, but I just hadn't saved it away.
>
> Craig
Oh ... hahaha ... I thought you'd think I was being a paranoid
crypto-weenie. I guess great minds just think alike ;-)
I do that editor thing all the time too. Mostly when I change something,
do a build, run it, then wonder why custom debug output didn't show up.
D'oh! =)
- Christopher
Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 21 Aug 2001, Christopher Cain wrote:
>
>
> "Craig R. McClanahan" wrote:
> >
> > On Tue, 21 Aug 2001, Christopher Cain wrote:
> >
> > > "Pier P. Fumagalli" wrote:
> > > >
> > > > Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
> > > >
> > > > > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> > > > >> craigmcc 01/08/21 11:51:52
> > > > >>
> > > > >> Modified: catalina/src/share/org/apache/catalina/core
> > > > >> StandardServer.java
> > > > >> Log:
> > > > >> Fix for a DoS attack against the shutdown port, that could cause an "out
> > > > >> of memory" exception by sending a continuous stream of characters. Now,
> > > > >> Tomcat will only listen for enough characters to match or not-match the
> > > > >> required password, then it shuts the port.
> > > > >
> > > > > Now I'll know exactly how long the shutdown password is. =-) -- justin
> > > >
> > > > Good point... :(
> > > >
> > > > Pier
> > >
> > > It is a good point. Might I suggest shutting it off at an arbitrary
> > > limit instead ... say, 100 characters?
> > >
> >
> > 100 is a little short for paranoid sysadmins that use a really long
> > password :-). But you'll get a kick out of what I did implement :-).
>
> Ahhh ... a padded limit ... I likes it, I likes it =)
>
> Now, if you could just add a small random value to "expected" before you
> drop into the "while > 0" loop to make it non-deterministic , please ...
>
> (just kidding ;-)
>
Don't laugh. That's what I had actually implemented after doing the +=
1024 thing, but I just hadn't saved it away.
> - Christopher
>
Craig
Re: cvs
commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by Christopher Cain <cc...@mhsoftware.com>.
"Craig R. McClanahan" wrote:
>
> On Tue, 21 Aug 2001, Christopher Cain wrote:
>
> > "Pier P. Fumagalli" wrote:
> > >
> > > Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
> > >
> > > > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> > > >> craigmcc 01/08/21 11:51:52
> > > >>
> > > >> Modified: catalina/src/share/org/apache/catalina/core
> > > >> StandardServer.java
> > > >> Log:
> > > >> Fix for a DoS attack against the shutdown port, that could cause an "out
> > > >> of memory" exception by sending a continuous stream of characters. Now,
> > > >> Tomcat will only listen for enough characters to match or not-match the
> > > >> required password, then it shuts the port.
> > > >
> > > > Now I'll know exactly how long the shutdown password is. =-) -- justin
> > >
> > > Good point... :(
> > >
> > > Pier
> >
> > It is a good point. Might I suggest shutting it off at an arbitrary
> > limit instead ... say, 100 characters?
> >
>
> 100 is a little short for paranoid sysadmins that use a really long
> password :-). But you'll get a kick out of what I did implement :-).
Ahhh ... a padded limit ... I likes it, I likes it =)
Now, if you could just add a small random value to "expected" before you
drop into the "while > 0" loop to make it non-deterministic , please ...
(just kidding ;-)
- Christopher
Re: cvs commit:jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/coreStandardServer.java
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 21 Aug 2001, Christopher Cain wrote:
> "Pier P. Fumagalli" wrote:
> >
> > Justin Erenkrantz at jerenkrantz@ebuilt.com wrote:
> >
> > > On Tue, Aug 21, 2001 at 06:51:52PM -0000, craigmcc@apache.org wrote:
> > >> craigmcc 01/08/21 11:51:52
> > >>
> > >> Modified: catalina/src/share/org/apache/catalina/core
> > >> StandardServer.java
> > >> Log:
> > >> Fix for a DoS attack against the shutdown port, that could cause an "out
> > >> of memory" exception by sending a continuous stream of characters. Now,
> > >> Tomcat will only listen for enough characters to match or not-match the
> > >> required password, then it shuts the port.
> > >
> > > Now I'll know exactly how long the shutdown password is. =-) -- justin
> >
> > Good point... :(
> >
> > Pier
>
> It is a good point. Might I suggest shutting it off at an arbitrary
> limit instead ... say, 100 characters?
>
100 is a little short for paranoid sysadmins that use a really long
password :-). But you'll get a kick out of what I did implement :-).
> - Christopher
>
Craig