Discussion:
maxParameterCount with Tomcat 5.5.23
Haenni, Tia
2012-05-11 20:03:29 UTC
Permalink
A recent RHEL patch supplied the following Tomcat packages which attempt to address a possible DoS attack as outlines at the link below:

tomcat5-jasper-5.5.23-0jpp.31.el5_8
tomcat5-server-lib-5.5.23-0jpp.31.el5_8
tomcat5-servlet-2.4-api-5.5.23-0jpp.31.el5_8
tomcat5-jsp-2.0-api-5.5.23-0jpp.31.el5_8
tomcat5-admin-webapps-5.5.23-0jpp.31.el5_8
tomcat5-common-lib-5.5.23-0jpp.31.el5_8
tomcat5-webapps-5.5.23-0jpp.31.el5_8
tomcat5-5.5.23-0jpp.31.el5_8

http://rhn.redhat.com/errata/RHSA-2012-0474.html

Since then I've encountered a problem with exceeding the maxParameterCount which seems to default at 512:

May 4, 2012 2:30:27 PM org.apache.catalina.connector.Request parseParameters
WARNING: Exception thrown whilst processing POSTed parameters
java.lang.IllegalStateException: Parameter count exceeded allowed maximum: 512
at org.apache.tomcat.util.http.Parameters.addParam(Parameters.java:331)
at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:407)
at org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:358)
at org.apache.catalina.connector.Request.parseParameters(Request.java:2400)
at org.apache.catalina.connector.Request.getParameterValues(Request.java:1063)
at org.apache.catalina.connector.RequestFacade.getParameterValues(RequestFacade.java:394).........

I do not need it to be the old default of 10000 and I don't think I want to set it to unlimited (-1) but I do need more than 512 for the application I am supporting.

Does anyone know how to tweak the maxParameterCount in a standalone Tomcat listening on 8080, requests are sent via Apache listening on 80?

This is not Tomcat as supplied with JBoss, so a fix such as that detailed at the link below I do not think will work:

http://docs.redhat.com/docs/en-US/JBoss_Communications_Platform/5.1/html/5.1.3_Release_Notes/ar01s05.html

Thanks in advance!
Caldarale, Charles R
2012-05-11 20:19:14 UTC
Permalink
Subject: maxParameterCount with Tomcat 5.5.23
A recent RHEL patch supplied the following Tomcat packages
Note that 5.5.23 is over five years old... You might want to consider installing a real Tomcat from tomcat.apache.org instead of a 3rd-party mangled, horribly out-of-date version. There are many more serious problems fixed in current levels.
Since then I've encountered a problem with exceeding the maxParameterCount
That's not the default in a standard Tomcat. Congratulate Red Hat on breaking things.
Does anyone know how to tweak the maxParameterCount
Read the docs:

http://tomcat.apache.org/tomcat-5.5-doc/config/http.html

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Haenni, Tia
2012-05-11 20:33:52 UTC
Permalink
Chuck,

Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now.

I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead.

Can you confirm that setting maxParameterCount in the connector attribute will override the default?

Thanks.

-----Original Message-----
From: Caldarale, Charles R [mailto:***@unisys.com]
Sent: Friday, May 11, 2012 3:19 PM
To: Tomcat Users List
Subject: RE: maxParameterCount with Tomcat 5.5.23
Subject: maxParameterCount with Tomcat 5.5.23
A recent RHEL patch supplied the following Tomcat packages
Note that 5.5.23 is over five years old... You might want to consider installing a real Tomcat from tomcat.apache.org instead of a 3rd-party mangled, horribly out-of-date version. There are many more serious problems fixed in current levels.
Since then I've encountered a problem with exceeding the
That's not the default in a standard Tomcat. Congratulate Red Hat on breaking things.
Does anyone know how to tweak the maxParameterCount
Read the docs:

http://tomcat.apache.org/tomcat-5.5-doc/config/http.html

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Konstantin Kolinko
2012-05-11 20:42:51 UTC
Permalink
Post by Haenni, Tia
Chuck,
Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now.
I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead.
Can you confirm that setting maxParameterCount in the connector attribute will override the default?
It should, but that is up to you to confirm. You have that strange
version of Tomcat, we do not.

BTW Note, that ASF support of Tomcat 5.5.x branch ends in several months,
http://tomcat.apache.org/tomcat-55-eol.html

Best regards,
Konstantin Kolinko
Haenni, Tia
2012-05-11 20:46:56 UTC
Permalink
Konstantin,

I am aware of the EOL for 5.5. We plan to upgrade to 6.x (whatever version RH decides to bestow upon us)

Thanks!

-----Original Message-----
From: Konstantin Kolinko [mailto:***@gmail.com]
Sent: Friday, May 11, 2012 3:43 PM
To: Tomcat Users List
Subject: Re: maxParameterCount with Tomcat 5.5.23
Post by Haenni, Tia
Chuck,
Thank you for your response. Unfortunately, due to some company policies on supporting packages as supplied by Red Hat, I am stuck with 5.5.23 for now.
I've read the docs and I am aware of the setting for maxParameterCount, which is not set at all in my Tomcat. What I don't know is if it will be honored. I read some posts where it was apparently ignored and the default used instead.
Can you confirm that setting maxParameterCount in the connector attribute will override the default?
It should, but that is up to you to confirm. You have that strange version of Tomcat, we do not.

BTW Note, that ASF support of Tomcat 5.5.x branch ends in several months, http://tomcat.apache.org/tomcat-55-eol.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Caldarale, Charles R
2012-05-11 20:51:00 UTC
Permalink
Post by Haenni, Tia
Subject: RE: maxParameterCount with Tomcat 5.5.23
I read some posts where it was apparently ignored and the default
used instead.
It would be interesting to know who's publishing such garbage.
Post by Haenni, Tia
Can you confirm that setting maxParameterCount in the connector
attribute will override the default?
Not on a Tomcat mangled by Red Hat - you're on your own with that. If you use a real Tomcat, it will certainly work.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Haenni, Tia
2012-05-24 14:59:13 UTC
Permalink
For my Red Hat delivered Tomcat, changes to the connector attribute were ignored. However, I did find a fix that works.

In tomcat5.conf, after all other settings are added to JAVA_OPTS, add the value you desire for max parameter count like this:

# RH KB 100383
# Override default max parameter count of 512
JAVA_OPTS="$JAVA_OPTS -Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT=10000"

The Red Hat KB article references JBoss run script, but the above works fine for standalone Tomcat.

-----Original Message-----
From: Caldarale, Charles R [mailto:***@unisys.com]
Sent: Friday, May 11, 2012 3:51 PM
To: Tomcat Users List
Subject: RE: maxParameterCount with Tomcat 5.5.23
Post by Haenni, Tia
Subject: RE: maxParameterCount with Tomcat 5.5.23
I read some posts where it was apparently ignored and the default used
instead.
It would be interesting to know who's publishing such garbage.
Post by Haenni, Tia
Can you confirm that setting maxParameterCount in the connector
attribute will override the default?
Not on a Tomcat mangled by Red Hat - you're on your own with that. If you use a real Tomcat, it will certainly work.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Loading...