The Vulnerability History Project

* Improve performance of parameter processing

      <add>
        Improve performance of parameter processing for GET and POST requests.
        Also add an option to limit the maximum number of parameters processed
        per request. This defaults to 10000. Excessive parameters are ignored.
        Note that <code>FailedRequestFilter</code> can be used to reject the
        request if some parameters were ignored. (markt/kkolinko)
      </add>
      <add>
        New filter <code>FailedRequestFilter</code> that will reject a request
        if there were errors during HTTP parameter parsing. (kkolinko)
      </add>
  Before the patch:
  Should be created by patch tool automatically, but just to be sure:
    mkdir container/catalina/src/share/org/apache/catalina/filters
    svn add container/catalina/src/share/org/apache/catalina/filters
  Apply patch:
    http://people.apache.org/~kkolinko/patches/2011-11-17_tc55_parameters-v5.patch
  After the patch:
    svn propset svn:eol-style na

by Maureen the Dinosaur 2011-12-20 14:34:48 UTC

commit 0314fe7743cb72e469cb395ccaaf2793a2ea0355

Tomcat Fix Parameter Overloading CVE-2012-0022

STATUS.txt

+25

connectors/coyote/src/java/org/apache/coyote/Request.java

+1

connectors/util/java/org/apache/tomcat/util/buf/B2CConverter.java

+25 -55

connectors/util/java/org/apache/tomcat/util/buf/ByteChunk.java

+32 -36

connectors/util/java/org/apache/tomcat/util/buf/MessageBytes.java