You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2011/11/10 11:48:27 UTC
svn commit: r1200263 - in /tomcat/trunk/webapps/docs: config/ajp.xml
config/filter.xml config/http.xml security-howto.xml
Author: kkolinko
Date: Thu Nov 10 10:48:27 2011
New Revision: 1200263
URL: http://svn.apache.org/viewvc?rev=1200263&view=rev
Log:
Add links to FailedRequestFilter in several places
and do other small documentation improvements.
Modified:
tomcat/trunk/webapps/docs/config/ajp.xml
tomcat/trunk/webapps/docs/config/filter.xml
tomcat/trunk/webapps/docs/config/http.xml
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/webapps/docs/config/ajp.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/ajp.xml?rev=1200263&r1=1200262&r2=1200263&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/ajp.xml (original)
+++ tomcat/trunk/webapps/docs/config/ajp.xml Thu Nov 10 10:48:27 2011
@@ -99,7 +99,9 @@
<p>The maximum number of parameter and value pairs (GET plus POST) which
will be automatically parsed by the container. Parameter and value pairs
beyond this limit will be ignored. A value of less than 0 means no limit.
- If not specified, a default of 10000 is used.</p>
+ If not specified, a default of 10000 is used. Note that
+ <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
+ used to reject requests that hit the limit.</p>
</attribute>
<attribute name="maxPostSize" required="false">
Modified: tomcat/trunk/webapps/docs/config/filter.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/filter.xml?rev=1200263&r1=1200262&r2=1200263&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/trunk/webapps/docs/config/filter.xml Thu Nov 10 10:48:27 2011
@@ -1226,6 +1226,8 @@ org.apache.catalina.filters.RequestDumpe
filter is not so high, because parameter parsing does check content type
of the request before consuming the request body.</p>
+ <p>The request is rejected with HTTP status code 400 (Bad Request).</p>
+
</subsection>
<subsection name="Filter Class Name">
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1200263&r1=1200262&r2=1200263&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Thu Nov 10 10:48:27 2011
@@ -97,7 +97,9 @@
<p>The maximum number of parameter and value pairs (GET plus POST) which
will be automatically parsed by the container. Parameter and value pairs
beyond this limit will be ignored. A value of less than 0 means no limit.
- If not specified, a default of 10000 is used.</p>
+ If not specified, a default of 10000 is used. Note that
+ <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
+ used to reject requests that hit the limit.</p>
</attribute>
<attribute name="maxPostSize" required="false">
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1200263&r1=1200262&r2=1200263&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Thu Nov 10 10:48:27 2011
@@ -161,6 +161,12 @@
minutes) so this is limited to 4KB by default to reduce exposure to a DOS
attack.</p>
+ <p>The <strong>maxParameterCount</strong> attribute controls the
+ maximum number of parameter and value pairs (GET plus POST) that can
+ be parsed and stored in the request. Excessive parameters are ignored.
+ If you want to reject such requests, configure a
+ <a href="config/filter.html">FailedRequestFilter</a>.</p>
+
<p>The <strong>xpoweredBy</strong> attribute controls whether or not the
X-Powered-By HTTP header is sent with each request. If sent, the value of
the header contains the Servlet and JSP specification versions, the full
@@ -207,6 +213,10 @@
current state of this vulnerability and the work-arounds available see the
<a href="http://tomcat.apache.org/security-7.html">Tomcat 7 security
page</a>.</p>
+
+ <p>The <strong>requiredSecret</strong> attribute in AJP connectors
+ configures shared secret between Tomcat and reverse proxy in front of
+ Tomcat. It is used to prevent unauthorized connections over AJP protocol.</p>
</subsection>
<subsection name="Host">
@@ -220,11 +230,19 @@
<p>In a hosted environment where web applications may not be trusted, set
the <strong>deployXml</strong> attribute to false to ignore any
- context.xml packaged with the web application that may try to assigned
+ context.xml packaged with the web application that may try to assign
increased privileges to the web application. </p>
</subsection>
<subsection name="Context">
+ <p>This applies to <a href="config/context.html">Context</a>
+ elements in all places where they can be defined:
+ <code>server.xml</code> file,
+ default <code>context.xml</code> file,
+ per-host <code>context.xml.default</code> file,
+ web application context file in per-host configuration directory
+ or inside the web application.</p>
+
<p>The <strong>crossContext</strong> attribute controls if a context is
allowed to access the resources of another context. It is
<code>false</code> by default and should only be changed for trusted web
@@ -252,7 +270,7 @@
context as required.</p>
<p>Any administrative application should be protected by a
- RemoteAddressValve. (Note that this Valve is also available as a Filter.)
+ RemoteAddrValve. (Note that this Valve is also available as a Filter.)
The <strong>allow</strong> attribute should be used to limit access to a
set of known trusted hosts.</p>
@@ -260,7 +278,7 @@
response sent to clients. To avoid this, custom error handling can be
configured within each web application. Alternatively, the version number
can be changed by creating the file
- CATALINA_HOME/lib/org/apache/catalina/util/ServerInfo.properties with
+ CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with
content as follows:</p>
<source>
server.info=Apache Tomcat/7.0.x
@@ -335,8 +353,13 @@ server.info=Apache Tomcat/7.0.x
as UTF-7.</p>
</section>
- <section name="CATALINA_BASE/conf/web.xml">
- <p>The DefaultServlet is configured with <strong>readonly</strong> set to
+ <section name="web.xml">
+ <p>This applies to the default <code>conf/web.xml</code> file and
+ <code>WEB-INF/web.xml</code> files in web applications if they define
+ the components mentioned here.</p>
+
+ <p>The <a href="default-servlet.html">DefaultServlet</a> is configured
+ with <strong>readonly</strong> set to
<code>true</code>. Changing this to <code>false</code> allows clients to
delete or modify static resources on the server and to upload new
resources. This should not normally be changed without requiring
@@ -347,6 +370,11 @@ server.info=Apache Tomcat/7.0.x
considered unsafe but because generating listings of directories with
thousands of files can consume significant CPU leading to a DOS attack.
</p>
+
+ <p><a href="config/filter.html">FailedRequestFilter</a>
+ can be configured and used to reject requests that had errors during
+ request parameter parsing. Without the filter the default behaviour is
+ to ignore invalid or excessive parameters.</p>
</section>
<section name="General">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org