Mark, On 12/28/11 5:28 PM, Mark Thomas wrote: > Tomcat has implemented a work-around for this issue by providing a new > option (maxParameterCount) to limit the number of parameters processed > for a single request. This default limit is 10000: high enough to be > unlikely to affect any application; low enough to mitigate the effects > of the DoS.
While both POST-size-limiting and parameter-count-limiting are both reasonable mitigating procedures, would the use of a randomized-hash be something worth doing? There are other solutions of course, but Tomcat could subclass commons-collections' HashedMap and alter the behavior of the hashIndex method to add a salt to the hashcode of any parameter name that will be inserted into the hash map. -chris
signature.asc
Description: OpenPGP digital signature
