Quantcast
Tomcat Tomcat - User

maxParameterCount with Tomcat 5.5.23

classic Classic list List threaded Threaded
8 messages Options
Haenni, Tia
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

maxParameterCount with Tomcat 5.5.23

Haenni, Tia
A recent RHEL patch supplied the following Tomcat packages which attempt to address a possible DoS attack as outlines at the link below:

tomcat5-jasper-5.5.23-0jpp.31.el5_8
tomcat5-server-lib-5.5.23-0jpp.31.el5_8
tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8
tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8
tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8
tomcat5-common-lib-5.5.23-0jpp.31.el5_8
tomcat5-webapps-5.5.23-0jpp.31.el5_8
tomcat5-5.5.23-0jpp.31.el5_8

http://rhn.redhat.com/errata/RHSA-2012-0474.html

Since then I've encountered a problem with exceeding the maxParameterCount which seems to default at 512:

May 4, 2012 2:30:27 PM org.apache.catalina.connector.Request parseParameters
WARNING: Exception thrown whilst processing POSTed parameters
java.lang.IllegalStateException: Parameter count exceeded allowed maximum: 512
                at org.apache.tomcat.util.http.Parameters.addParam(Parameters.java:331)
                at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:407)
                at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:358)
                at org.apache.catalina.connector.Request.parseParameters(Request.java:2400)
                at org.apache.catalina.connector.Request.getParameterValues(Request.java:1063)
                at org.apache.catalina.connector.RequestFacade.getParameterValues(RequestFacade.java:394).........

I do not need it to be the old default of 10000 and I don't think I want to set it to unlimited (-1) but I do need more than 512 for the application I am supporting.

Does anyone know how to tweak the maxParameterCount in a standalone Tomcat listening on 8080, requests are sent via Apache listening on 80?

This is not Tomcat as supplied with JBoss, so a fix such as that detailed at the link below I do not think will work:

http://docs.redhat.com/docs/en-US/JBoss_Communications_Platform/5.1/html/5.1.3_Release_Notes/ar01s05.html

Thanks in advance!



Caldarale, Charles R
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: maxParameterCount with Tomcat 5.5.23

Caldarale, Charles R
> From: Haenni, Tia [mailto:[hidden email]]
> Subject: maxParameterCount with Tomcat 5.5.23

> A recent RHEL patch supplied the following Tomcat packages

Note that 5.5.23 is over five years old...  You might want to consider installing a real Tomcat from tomcat.apache.org instead of a 3rd-party mangled, horribly out-of-date version.  There are many more serious problems fixed in current levels.

> Since then I've encountered a problem with exceeding the maxParameterCount
> which seems to default at 512:

That's not the default in a standard Tomcat.  Congratulate Red Hat on breaking things.

> Does anyone know how to tweak the maxParameterCount

Read the docs:

http://tomcat.apache.org/tomcat-5.5-doc/config/http.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Haenni, Tia
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: maxParameterCount with Tomcat 5.5.23

Haenni, Tia
Chuck,

Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now.

I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead.

Can you confirm that setting maxParameterCount in the connector attribute will override the default?

Thanks.

-----Original Message-----
From: Caldarale, Charles R [mailto:[hidden email]]
Sent: Friday, May 11, 2012 3:19 PM
To: Tomcat Users List
Subject: RE: maxParameterCount with Tomcat 5.5.23

> From: Haenni, Tia [mailto:[hidden email]]
> Subject: maxParameterCount with Tomcat 5.5.23

> A recent RHEL patch supplied the following Tomcat packages

Note that 5.5.23 is over five years old...  You might want to consider installing a real Tomcat from tomcat.apache.org instead of a 3rd-party mangled, horribly out-of-date version.  There are many more serious problems fixed in current levels.

> Since then I've encountered a problem with exceeding the
> maxParameterCount which seems to default at 512:

That's not the default in a standard Tomcat.  Congratulate Red Hat on breaking things.

> Does anyone know how to tweak the maxParameterCount

Read the docs:

http://tomcat.apache.org/tomcat-5.5-doc/config/http.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Konstantin Kolinko
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: maxParameterCount with Tomcat 5.5.23

Konstantin Kolinko
2012/5/12 Haenni, Tia <[hidden email]>:
> Chuck,
>
> Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now.
>
> I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead.
>
> Can you confirm that setting maxParameterCount in the connector attribute will override the default?
>

It should, but that is up to you to confirm. You have that strange
version of Tomcat, we do not.

BTW Note, that ASF support of Tomcat 5.5.x branch ends in several months,
http://tomcat.apache.org/tomcat-55-eol.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Haenni, Tia
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: maxParameterCount with Tomcat 5.5.23

Haenni, Tia
Konstantin,

I am aware of the EOL for 5.5. We plan to upgrade to 6.x (whatever version RH decides to bestow upon us)

Thanks!

-----Original Message-----
From: Konstantin Kolinko [mailto:[hidden email]]
Sent: Friday, May 11, 2012 3:43 PM
To: Tomcat Users List
Subject: Re: maxParameterCount with Tomcat 5.5.23

2012/5/12 Haenni, Tia <[hidden email]>:
> Chuck,
>
> Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now.
>
> I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead.
>
> Can you confirm that setting maxParameterCount in the connector attribute will override the default?
>

It should, but that is up to you to confirm. You have that strange version of Tomcat, we do not.

BTW Note, that ASF support of Tomcat 5.5.x branch ends in several months, http://tomcat.apache.org/tomcat-55-eol.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Caldarale, Charles R
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: maxParameterCount with Tomcat 5.5.23

Caldarale, Charles R
In reply to this post by Haenni, Tia
> From: Haenni, Tia [mailto:[hidden email]]
> Subject: RE: maxParameterCount with Tomcat 5.5.23

> I read some posts where it was apparently ignored and the default
> used instead.

It would be interesting to know who's publishing such garbage.

> Can you confirm that setting maxParameterCount in the connector
> attribute will override the default?

Not on a Tomcat mangled by Red Hat - you're on your own with that.  If you use a real Tomcat, it will certainly work.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Jon Cabildo
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: maxParameterCount with Tomcat 5.5.23

Jon Cabildo
This post has NOT been accepted by the mailing list yet.
In reply to this post by Caldarale, Charles R
Hi,

Got the same problem, here's how it was resolved.

Add this in catalina.properties

org.apache.tomcat.util.http.Parameters.MAX_COUNT=10000

Hope that helps.

regards,
Jon
Haenni, Tia
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

RE: maxParameterCount with Tomcat 5.5.23

Haenni, Tia
In reply to this post by Caldarale, Charles R
For my Red Hat delivered Tomcat, changes to the connector attribute were ignored. However, I did find a fix that works.

In tomcat5.conf, after all other settings are added to JAVA_OPTS, add the value you desire for max parameter count like this:

# RH KB 100383
# Override default max parameter count of 512
JAVA_OPTS="$JAVA_OPTS -Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=10000"

The Red Hat KB article references JBoss run script, but the above works fine for standalone Tomcat.

-----Original Message-----
From: Caldarale, Charles R [mailto:[hidden email]]
Sent: Friday, May 11, 2012 3:51 PM
To: Tomcat Users List
Subject: RE: maxParameterCount with Tomcat 5.5.23

> From: Haenni, Tia [mailto:[hidden email]]
> Subject: RE: maxParameterCount with Tomcat 5.5.23

> I read some posts where it was apparently ignored and the default used
> instead.

It would be interesting to know who's publishing such garbage.

> Can you confirm that setting maxParameterCount in the connector
> attribute will override the default?

Not on a Tomcat mangled by Red Hat - you're on your own with that.  If you use a real Tomcat, it will certainly work.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...
Powered by Nabble Edit this page