svn commit: r1200264 - in /tomcat/tc7.0.x/trunk: ./ webapps/docs/config/ajp.xml webapps/docs/config/filter.xml webapps/docs/config/http.xml webapps/docs/security-howto.xml

Thu, 10 Nov 2011 02:50:56 -0800 

Author: kkolinko
Date: Thu Nov 10 10:50:31 2011
New Revision: 1200264

URL: http://svn.apache.org/viewvc?rev=1200264&view=rev
Log:
Merged revision 1200263 from tomcat/trunk:
Add links to FailedRequestFilter in several places
and do other small documentation improvements.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml
    tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml
    tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
    tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Nov 10 10:50:31 2011
@@ -1 +1 @@
-/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166693,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172556,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096
 
,1173241,1173256,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175798,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178684,1178721,1179268,1179274,1180261,1180865,1180891,1180894,1180907,1181028,1181123,1181125,1181136,1181291,1181743,1182796,1183078,1183105,1183142,1183328,1183339-1183340,1183492-1183494,1183605,1184917,1184919,1185018,1185020,1185200,1185588,1185626,1185756,1185758,1186011,1186042-1186045,1186104,1186123,1186137,1186153,1186254,1186257,1186377-1186379,1186479-1186480,1186712,1186743,1186750,1186763,1186890-1186892,1186894,1186949,1187018,1187027-1187028,1187381,1187
 
753,1187755,1187775,1187801,1187806,1187809,1187827,1188301,1188303-1188305,1188399,1188822,1188930-1188931,1189116,1189129,1189183,1189240,1189256,1189386,1189413-1189414,1189477,1189685,1189805,1189857,1189864,1189882,1190034,1190185,1190279,1190339,1190371,1190388-1190389,1190474,1190481,1194915,1195222-1195223,1195531,1195899,1195905,1195943,1195949,1195953,1195955,1195965,1195968,1196175,1196212,1196223,1196304-1196305,1196735,1196825,1196827,1197158,1197261,1197263,1197299-1197300,1197305,1197339-1197340,1197343,1197382,1197386-1197387,1197480,1197578,1198497,1198528,1198552,1198602,1198604,1198607,1198622,1198640,1198696,1198707,1199418,1199432,1199436,1199513,1199529,1199980,1199996,1200056,1200089,1200106-1200107
+/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166693,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172556,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096
 
,1173241,1173256,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175798,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178684,1178721,1179268,1179274,1180261,1180865,1180891,1180894,1180907,1181028,1181123,1181125,1181136,1181291,1181743,1182796,1183078,1183105,1183142,1183328,1183339-1183340,1183492-1183494,1183605,1184917,1184919,1185018,1185020,1185200,1185588,1185626,1185756,1185758,1186011,1186042-1186045,1186104,1186123,1186137,1186153,1186254,1186257,1186377-1186379,1186479-1186480,1186712,1186743,1186750,1186763,1186890-1186892,1186894,1186949,1187018,1187027-1187028,1187381,1187
 
753,1187755,1187775,1187801,1187806,1187809,1187827,1188301,1188303-1188305,1188399,1188822,1188930-1188931,1189116,1189129,1189183,1189240,1189256,1189386,1189413-1189414,1189477,1189685,1189805,1189857,1189864,1189882,1190034,1190185,1190279,1190339,1190371,1190388-1190389,1190474,1190481,1194915,1195222-1195223,1195531,1195899,1195905,1195943,1195949,1195953,1195955,1195965,1195968,1196175,1196212,1196223,1196304-1196305,1196735,1196825,1196827,1197158,1197261,1197263,1197299-1197300,1197305,1197339-1197340,1197343,1197382,1197386-1197387,1197480,1197578,1198497,1198528,1198552,1198602,1198604,1198607,1198622,1198640,1198696,1198707,1199418,1199432,1199436,1199513,1199529,1199980,1199996,1200056,1200089,1200106-1200107,1200263

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml?rev=1200264&r1=1200263&r2=1200264&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/ajp.xml Thu Nov 10 10:50:31 2011
@@ -99,7 +99,9 @@
       <p>The maximum number of parameter and value pairs (GET plus POST) which
       will be automatically parsed by the container. Parameter and value pairs
       beyond this limit will be ignored. A value of less than 0 means no limit.
-      If not specified, a default of 10000 is used.</p>
+      If not specified, a default of 10000 is used. Note that
+      <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
+      used to reject requests that hit the limit.</p>
     </attribute>
 
     <attribute name="maxPostSize" required="false">

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml?rev=1200264&r1=1200263&r2=1200264&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/filter.xml Thu Nov 10 10:50:31 2011
@@ -1226,6 +1226,8 @@ org.apache.catalina.filters.RequestDumpe
     filter is not so high, because parameter parsing does check content type
     of the request before consuming the request body.</p>
 
+    <p>The request is rejected with HTTP status code 400 (Bad Request).</p>
+
   </subsection>
 
   <subsection name="Filter Class Name">

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1200264&r1=1200263&r2=1200264&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Thu Nov 10 10:50:31 2011
@@ -97,7 +97,9 @@
       <p>The maximum number of parameter and value pairs (GET plus POST) which
       will be automatically parsed by the container. Parameter and value pairs
       beyond this limit will be ignored. A value of less than 0 means no limit.
-      If not specified, a default of 10000 is used.</p>
+      If not specified, a default of 10000 is used. Note that
+      <code>FailedRequestFilter</code> <a href="filter.html">filter</a> can be
+      used to reject requests that hit the limit.</p>
     </attribute>
 
     <attribute name="maxPostSize" required="false">

Modified: tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml?rev=1200264&r1=1200263&r2=1200264&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml Thu Nov 10 10:50:31 
2011
@@ -161,6 +161,12 @@
       minutes) so this is limited to 4KB by default to reduce exposure to a DOS
       attack.</p>
 
+      <p>The <strong>maxParameterCount</strong> attribute controls the
+      maximum number of parameter and value pairs (GET plus POST) that can
+      be parsed and stored in the request. Excessive parameters are ignored.
+      If you want to reject such requests, configure a
+      <a href="config/filter.html">FailedRequestFilter</a>.</p>
+
       <p>The <strong>xpoweredBy</strong> attribute controls whether or not the
       X-Powered-By HTTP header is sent with each request. If sent, the value of
       the header contains the Servlet and JSP specification versions, the full
@@ -207,6 +213,10 @@
       current state of this vulnerability and the work-arounds available see 
the
       <a href="http://tomcat.apache.org/security-7.html";>Tomcat 7 security
       page</a>.</p>
+
+      <p>The <strong>requiredSecret</strong> attribute in AJP connectors
+      configures shared secret between Tomcat and reverse proxy in front of
+      Tomcat. It is used to prevent unauthorized connections over AJP 
protocol.</p>
     </subsection>
 
     <subsection name="Host">
@@ -220,11 +230,19 @@
 
       <p>In a hosted environment where web applications may not be trusted, set
       the <strong>deployXml</strong> attribute to false to ignore any
-      context.xml packaged with the web application that may try to assigned
+      context.xml packaged with the web application that may try to assign
       increased privileges to the web application. </p>
     </subsection>
 
     <subsection name="Context">
+      <p>This applies to <a href="config/context.html">Context</a>
+      elements in all places where they can be defined:
+      <code>server.xml</code> file,
+      default <code>context.xml</code> file,
+      per-host <code>context.xml.default</code> file,
+      web application context file in per-host configuration directory
+      or inside the web application.</p>
+
       <p>The <strong>crossContext</strong> attribute controls if a context is
       allowed to access the resources of another context. It is
       <code>false</code> by default and should only be changed for trusted web
@@ -252,7 +270,7 @@
       context as required.</p>
 
       <p>Any administrative application should be protected by a
-      RemoteAddressValve. (Note that this Valve is also available as a Filter.)
+      RemoteAddrValve. (Note that this Valve is also available as a Filter.)
       The <strong>allow</strong> attribute should be used to limit access to a
       set of known trusted hosts.</p>
 
@@ -260,7 +278,7 @@
       response sent to clients. To avoid this, custom error handling can be
       configured within each web application. Alternatively, the version number
       can be changed by creating the file
-      CATALINA_HOME/lib/org/apache/catalina/util/ServerInfo.properties with
+      CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with
       content as follows:</p>
       <source>
 server.info=Apache Tomcat/7.0.x
@@ -335,8 +353,13 @@ server.info=Apache Tomcat/7.0.x
     as UTF-7.</p>
   </section>
 
-  <section name="CATALINA_BASE/conf/web.xml">
-    <p>The DefaultServlet is configured with <strong>readonly</strong> set to
+  <section name="web.xml">
+    <p>This applies to the default <code>conf/web.xml</code> file and
+    <code>WEB-INF/web.xml</code> files in web applications if they define
+    the components mentioned here.</p>
+
+    <p>The <a href="default-servlet.html">DefaultServlet</a> is configured
+    with <strong>readonly</strong> set to
     <code>true</code>. Changing this to <code>false</code> allows clients to
     delete or modify static resources on the server and to upload new
     resources. This should not normally be changed without requiring
@@ -347,6 +370,11 @@ server.info=Apache Tomcat/7.0.x
     considered unsafe but because generating listings of directories with
     thousands of files can consume significant CPU leading to a DOS attack.
     </p>
+
+    <p><a href="config/filter.html">FailedRequestFilter</a>
+    can be configured and used to reject requests that had errors during
+    request parameter parsing. Without the filter the default behaviour is
+    to ignore invalid or excessive parameters.</p>
   </section>
 
   <section name="General">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to