You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Haenni, Tia" <th...@burnsmcd.com> on 2012/05/11 22:03:29 UTC
maxParameterCount with Tomcat 5.5.23
A recent RHEL patch supplied the following Tomcat packages which attempt to address a possible DoS attack as outlines at the link below:
tomcat5-jasper-5.5.23-0jpp.31.el5_8
tomcat5-server-lib-5.5.23-0jpp.31.el5_8
tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8
tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8
tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8
tomcat5-common-lib-5.5.23-0jpp.31.el5_8
tomcat5-webapps-5.5.23-0jpp.31.el5_8
tomcat5-5.5.23-0jpp.31.el5_8
http://rhn.redhat.com/errata/RHSA-2012-0474.html
Since then I've encountered a problem with exceeding the maxParameterCount which seems to default at 512:
May 4, 2012 2:30:27 PM org.apache.catalina.connector.Request parseParameters
WARNING: Exception thrown whilst processing POSTed parameters
java.lang.IllegalStateException: Parameter count exceeded allowed maximum: 512
at org.apache.tomcat.util.http.Parameters.addParam(Parameters.java:331)
at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:407)
at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:358)
at org.apache.catalina.connector.Request.parseParameters(Request.java:2400)
at org.apache.catalina.connector.Request.getParameterValues(Request.java:1063)
at org.apache.catalina.connector.RequestFacade.getParameterValues(RequestFacade.java:394).........
I do not need it to be the old default of 10000 and I don't think I want to set it to unlimited (-1) but I do need more than 512 for the application I am supporting.
Does anyone know how to tweak the maxParameterCount in a standalone Tomcat listening on 8080, requests are sent via Apache listening on 80?
This is not Tomcat as supplied with JBoss, so a fix such as that detailed at the link below I do not think will work:
http://docs.redhat.com/docs/en-US/JBoss_Communications_Platform/5.1/html/5.1.3_Release_Notes/ar01s05.html
Thanks in advance!
RE: maxParameterCount with Tomcat 5.5.23
Posted by "Haenni, Tia" <th...@burnsmcd.com>.
Konstantin,
I am aware of the EOL for 5.5. We plan to upgrade to 6.x (whatever version RH decides to bestow upon us)
Thanks!
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: Friday, May 11, 2012 3:43 PM
To: Tomcat Users List
Subject: Re: maxParameterCount with Tomcat 5.5.23
2012/5/12 Haenni, Tia <th...@burnsmcd.com>:
> Chuck,
>
> Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now.
>
> I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead.
>
> Can you confirm that setting maxParameterCount in the connector attribute will override the default?
>
It should, but that is up to you to confirm. You have that strange version of Tomcat, we do not.
BTW Note, that ASF support of Tomcat 5.5.x branch ends in several months, http://tomcat.apache.org/tomcat-55-eol.html
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: maxParameterCount with Tomcat 5.5.23
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/5/12 Haenni, Tia <th...@burnsmcd.com>:
> Chuck,
>
> Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now.
>
> I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead.
>
> Can you confirm that setting maxParameterCount in the connector attribute will override the default?
>
It should, but that is up to you to confirm. You have that strange
version of Tomcat, we do not.
BTW Note, that ASF support of Tomcat 5.5.x branch ends in several months,
http://tomcat.apache.org/tomcat-55-eol.html
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: maxParameterCount with Tomcat 5.5.23
Posted by "Haenni, Tia" <th...@burnsmcd.com>.
For my Red Hat delivered Tomcat, changes to the connector attribute were ignored. However, I did find a fix that works.
In tomcat5.conf, after all other settings are added to JAVA_OPTS, add the value you desire for max parameter count like this:
# RH KB 100383
# Override default max parameter count of 512
JAVA_OPTS="$JAVA_OPTS -Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=10000"
The Red Hat KB article references JBoss run script, but the above works fine for standalone Tomcat.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, May 11, 2012 3:51 PM
To: Tomcat Users List
Subject: RE: maxParameterCount with Tomcat 5.5.23
> From: Haenni, Tia [mailto:thaenni@burnsmcd.com]
> Subject: RE: maxParameterCount with Tomcat 5.5.23
> I read some posts where it was apparently ignored and the default used
> instead.
It would be interesting to know who's publishing such garbage.
> Can you confirm that setting maxParameterCount in the connector
> attribute will override the default?
Not on a Tomcat mangled by Red Hat - you're on your own with that. If you use a real Tomcat, it will certainly work.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: maxParameterCount with Tomcat 5.5.23
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Haenni, Tia [mailto:thaenni@burnsmcd.com]
> Subject: RE: maxParameterCount with Tomcat 5.5.23
> I read some posts where it was apparently ignored and the default
> used instead.
It would be interesting to know who's publishing such garbage.
> Can you confirm that setting maxParameterCount in the connector
> attribute will override the default?
Not on a Tomcat mangled by Red Hat - you're on your own with that. If you use a real Tomcat, it will certainly work.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: maxParameterCount with Tomcat 5.5.23
Posted by "Haenni, Tia" <th...@burnsmcd.com>.
Chuck,
Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now.
I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead.
Can you confirm that setting maxParameterCount in the connector attribute will override the default?
Thanks.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, May 11, 2012 3:19 PM
To: Tomcat Users List
Subject: RE: maxParameterCount with Tomcat 5.5.23
> From: Haenni, Tia [mailto:thaenni@burnsmcd.com]
> Subject: maxParameterCount with Tomcat 5.5.23
> A recent RHEL patch supplied the following Tomcat packages
Note that 5.5.23 is over five years old... You might want to consider installing a real Tomcat from tomcat.apache.org instead of a 3rd-party mangled, horribly out-of-date version. There are many more serious problems fixed in current levels.
> Since then I've encountered a problem with exceeding the
> maxParameterCount which seems to default at 512:
That's not the default in a standard Tomcat. Congratulate Red Hat on breaking things.
> Does anyone know how to tweak the maxParameterCount
Read the docs:
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: maxParameterCount with Tomcat 5.5.23
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Haenni, Tia [mailto:thaenni@burnsmcd.com]
> Subject: maxParameterCount with Tomcat 5.5.23
> A recent RHEL patch supplied the following Tomcat packages
Note that 5.5.23 is over five years old... You might want to consider installing a real Tomcat from tomcat.apache.org instead of a 3rd-party mangled, horribly out-of-date version. There are many more serious problems fixed in current levels.
> Since then I've encountered a problem with exceeding the maxParameterCount
> which seems to default at 512:
That's not the default in a standard Tomcat. Congratulate Red Hat on breaking things.
> Does anyone know how to tweak the maxParameterCount
Read the docs:
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org