You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by manjesh <ma...@gmail.com> on 2012/05/30 17:39:17 UTC
how to test hash collision security fix in tomcat 7.1
Hi ,
I have downloaded tomcat 7.1 for Windows OS
added the following parameter (maxParameterCoun) into server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" maxParameterCount="5"/>
restarted the server.
to test this fix , I created a JSP with 6 text fields having same name
( example <input type="text" name="username"/> 6 input boxes )
when I give input for all of these input fields and click on submit,
still the request is being processed...
I am expecting the request processing should be aborted and
illegateStateException must be thrown according to the fix done in
Parameters class of (tomcat-coyote.jar)
am I doing test correctly..? please help me
Note: I have also tried adding parameter to JAVA_OPTS in run.bat
--
Regards
Manjesh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to test hash collision security fix in tomcat 7.1
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/5/31 manjesh <ma...@gmail.com>:
> Hi,
> The exact version of tomcat I am working with is 7.0.27
>
> I am verifying the fix discussed here
>
> http://news.softpedia.com/news/Apache-Tomcat-Workaround-for-Hashtable-Collision-DoS-Vulnerability-243544.shtml
>
>
> Here is the snippet of implementation [ ... ]
1. The docs are here:
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html
2. IllegalStateException is caught and never returned to the caller of
Servlet API
You can run Tomcat under debugger if you want to trace the
implementation details.
http://wiki.apache.org/tomcat/FAQ/Developing#Debugging
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to test hash collision security fix in tomcat 7.1
Posted by manjesh <ma...@gmail.com>.
Hi,
The exact version of tomcat I am working with is 7.0.27
I am verifying the fix discussed here
http://news.softpedia.com/news/Apache-Tomcat-Workaround-for-Hashtable-Collision-DoS-Vulnerability-243544.shtml
Here is the snippet of implementation [
org.apache.tomcat.util.http.Parameters.java]
private int limit = -1; ----------------> this
is being set to the value of maxParameterCount mentioned in Connector
tag of server.xml
private int parameterCount = 0;
public void addParameter( String key, String value )
throws IllegalStateException {
if( key==null ) {
return;
}
parameterCount ++;
if (limit > -1 && parameterCount > limit) {
// Processing this parameter will push us over the limit. ISE is
// what Request.parseParts() uses for requests that are too big
parseFailed = true;
throw new IllegalStateException(sm.getString(
"parameters.maxCountFail", Integer.valueOf(limit)));
}
ArrayList<String> values = paramHashValues.get(key);
if (values == null) {
values = new ArrayList<String>(1);
paramHashValues.put(key, values);
}
values.add(value);
}
now what happens when number of request parameters exceeds maxParameterCount ?
-Manjesh
On Thu, May 31, 2012 at 2:39 AM, Konstantin Kolinko
<kn...@gmail.com> wrote:
> 2012/5/30 manjesh <ma...@gmail.com>:
>> Hi ,
>> I have downloaded tomcat 7.1 for Windows OS
>>
>
> 1. There is no such version. I do not know what you are testing.
>
>> added the following parameter (maxParameterCoun) into server.xml
>>
>> <Connector port="8080" protocol="HTTP/1.1"
>> connectionTimeout="20000"
>> redirectPort="8443" maxParameterCount="5"/>
>>
>>
>>
>> restarted the server.
>>
>> to test this fix , I created a JSP with 6 text fields having same name
>> ( example <input type="text" name="username"/> 6 input boxes )
>> when I give input for all of these input fields and click on submit,
>> still the request is being processed...
>> I am expecting the request processing should be aborted and
>> illegateStateException must be thrown according to the fix done in
>> Parameters class of (tomcat-coyote.jar)
>>
>
> 2. Your expectations are wrong. Documentation for that option in
> configuration reference says exactly what happens what you have more
> parameters than specified by that option.
>
> An IllegalStateException cannot be thrown, because Servlet API does
> not allow that.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
Regards
Manjesh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: how to test hash collision security fix in tomcat 7.1
Posted by Konstantin Kolinko <kn...@gmail.com>.
2012/5/30 manjesh <ma...@gmail.com>:
> Hi ,
> I have downloaded tomcat 7.1 for Windows OS
>
1. There is no such version. I do not know what you are testing.
> added the following parameter (maxParameterCoun) into server.xml
>
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="8443" maxParameterCount="5"/>
>
>
>
> restarted the server.
>
> to test this fix , I created a JSP with 6 text fields having same name
> ( example <input type="text" name="username"/> 6 input boxes )
> when I give input for all of these input fields and click on submit,
> still the request is being processed...
> I am expecting the request processing should be aborted and
> illegateStateException must be thrown according to the fix done in
> Parameters class of (tomcat-coyote.jar)
>
2. Your expectations are wrong. Documentation for that option in
configuration reference says exactly what happens what you have more
parameters than specified by that option.
An IllegalStateException cannot be thrown, because Servlet API does
not allow that.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org