On 09/03/2023 14:23, Christopher Schultz wrote:
Mark,
On 3/9/23 05:56, Mark Thomas wrote:
Hi all,
In the context of CVE-2023-24998 (performance issues for large numbers
of uploaded parts), I have been wondering about reducing the default
value for maxParameterCount.
The current default for maxParameterCount is 10,000. It was set based
on it being low enough to mitigate CVE-2012-0022 (hash collisions in
parameter names triggering performance issues) while being so high it
was considered extremely unlikely to impact any web application.
Also relevant: maxPostSize and maxHttpRequestHeaderSize which help to
limit the total size of a request, regardless of the number of parameters.
I don't think we can lower those any further by default. If anything,
the trend is towards making them larger.
The current default is sufficiently low to mitigate CVE-2023-24998.
There isn't any reason I am aware of that means we need to reduce the
default for maxParameterCount. My thinking is more along the lines
that when we last thought about this default in 2012, it was
considered from the perspective of "How high can we set this and still
be sure applications aren't exposed to CVE-2012-0022 or something like
it?". If we consider it from the perspective of "How low can we make
this without breaking many / most / (nearly) all applications?" I
think we'll choose a much lower number.
+1
Another benefit of a lower number is to harden Tomcat in advance
against future vulnerabilities like CVE-2023-24998.
I was wondering about a new default of 1000 or maybe even 500.
This would certainly be for 11.0.x. I think it should be back-ported
but maybe in stages (5000, 3000, 2000, 1000) and/or delayed so it is
reduced in 10.1.x for a few releases before we reduce it in 9.0.x and
the a few more releases before we reduce it in 8.5.x.
Thoughts?
+1 for 1000. 500 seems insane to me but I'm sure there is some
application out there which uses 1000 parameters instead of JSON, etc.
for some reason.
I've reduced the default to 1,000 for 11.0.x.
Thoughts on if/how to back-port this to 10.1.x and friends?
Straight to 1000 for all older versions?
Straight to 1000 for 10.1.x then wait a few releases for each further
backport?
Or more cautious and backport a gradual reduction?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
